emotet | 7271b9b7dbcd1b2b17f7662d65b2fec44cfb378ef43fd8a03fccd7fb463fbe87

General

Target

64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Size

228KB
MD5

64d9acbff6273f7442edac49f9eec054
SHA1

7694e133c4f47a597544a8419c4ce88218841d72
SHA256

7271b9b7dbcd1b2b17f7662d65b2fec44cfb378ef43fd8a03fccd7fb463fbe87
SHA512

55797d8012613e282f6630d931d47572c24680fc70144e98d662f14a5a772eb73b46acb5badd567b8cb1866b8f6101575fd8a3d9301bb495897319091fd3c2c6
SSDEEP

6144:kyj2MoeAfMzd+PUnXmCcWGJPV0z+bbDH0COUj8:1joeAfMVQP5bbbY

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

45.33.54.74:443

209.141.41.136:8080

104.236.246.93:8080

198.199.114.69:8080

152.89.236.214:8080

87.106.136.232:8080

178.210.51.222:8080

115.78.95.230:443

201.251.43.69:8080

200.51.94.251:80

31.172.240.91:8080

182.176.132.213:8090

45.33.49.124:443

181.143.53.227:21

186.4.172.5:443

85.104.59.244:20

5.196.74.210:8080

37.157.194.134:443

190.226.44.20:21

86.98.25.30:53

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

dasmrcmobsync.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	dasmrcmobsync.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

dasmrcmobsync.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	dasmrcmobsync.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dasmrcmobsync.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecision = "0"	dasmrcmobsync.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\02-de-ba-d8-d6-b4	dasmrcmobsync.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dasmrcmobsync.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dasmrcmobsync.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}	dasmrcmobsync.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-de-ba-d8-d6-b4\WpadDecision = "0"	dasmrcmobsync.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dasmrcmobsync.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dasmrcmobsync.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dasmrcmobsync.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	dasmrcmobsync.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dasmrcmobsync.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecisionTime = 601b8e47c7abda01	dasmrcmobsync.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-de-ba-d8-d6-b4	dasmrcmobsync.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-de-ba-d8-d6-b4\WpadDecisionTime = 601b8e47c7abda01	dasmrcmobsync.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dasmrcmobsync.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecisionReason = "1"	dasmrcmobsync.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadNetworkName = "Network 3"	dasmrcmobsync.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-de-ba-d8-d6-b4\WpadDecisionReason = "1"	dasmrcmobsync.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dasmrcmobsync.exe

Modifies registry class 36 IoCs

Processes:

64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exedasmrcmobsync.exedasmrcmobsync.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64D9AC~1.EXE"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	dasmrcmobsync.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\ = "mfccalc.calculator"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	dasmrcmobsync.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	dasmrcmobsync.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ = "mfccalc.calculator"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Windows\\SysWOW64\\DASMRC~1.EXE"	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	dasmrcmobsync.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Windows\\SysWOW64\\DASMRC~1.EXE"	dasmrcmobsync.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	dasmrcmobsync.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64D9AC~1.EXE"	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	dasmrcmobsync.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dasmrcmobsync.exe

pid process

2672 dasmrcmobsync.exe
2672 dasmrcmobsync.exe
2672 dasmrcmobsync.exe
2672 dasmrcmobsync.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe

pid process

1636 64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe

pid	process
2672	dasmrcmobsync.exe
2672	dasmrcmobsync.exe
2672	dasmrcmobsync.exe
2672	dasmrcmobsync.exe

pid	process
1636	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exedasmrcmobsync.exedasmrcmobsync.exe

pid	process
2196	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
2196	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
1636	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
1636	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
2540	dasmrcmobsync.exe
2540	dasmrcmobsync.exe
2672	dasmrcmobsync.exe
2672	dasmrcmobsync.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exedasmrcmobsync.exe

description	pid	process	target process
PID 2196 wrote to memory of 1636	2196	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
PID 2196 wrote to memory of 1636	2196	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
PID 2196 wrote to memory of 1636	2196	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
PID 2196 wrote to memory of 1636	2196	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe	64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
PID 2540 wrote to memory of 2672	2540	dasmrcmobsync.exe	dasmrcmobsync.exe
PID 2540 wrote to memory of 2672	2540	dasmrcmobsync.exe	dasmrcmobsync.exe
PID 2540 wrote to memory of 2672	2540	dasmrcmobsync.exe	dasmrcmobsync.exe
PID 2540 wrote to memory of 2672	2540	dasmrcmobsync.exe	dasmrcmobsync.exe

C:\Users\Admin\AppData\Local\Temp\64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\64d9acbff6273f7442edac49f9eec054_JaffaCakes118.exe
--9287190d
2⤵
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\dasmrcmobsync.exe
"C:\Windows\SysWOW64\dasmrcmobsync.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\dasmrcmobsync.exe
--5d67d969
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-6-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1636-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-0-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2196-5-0x00000000002C0000-0x00000000002CF000-memory.dmp

Filesize
60KB

Download
memory/2540-11-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/2672-17-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads