emotet | 2091a24d7e03980bcd3f18b5a71ca87a93e4f4382810de2ad817086c626d3505

General

Target

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
Size

551KB
MD5

631545bb910def12263fbd08ad675d6e
SHA1

685fe2a44c4d2d803ec605b1e03ddec3e65e2a19
SHA256

2091a24d7e03980bcd3f18b5a71ca87a93e4f4382810de2ad817086c626d3505
SHA512

fb38ac528a5f53ccb2dde9310f6166a5560e2d4089f2106f48983a49efa9b2ae6574f5385f238aa08b9355a5180004548b210a2459d6b191185b4b0cd7b7fe9e
SSDEEP

12288:JjVeneMEuEB2ZVirlydPUGUuhshCK+NeFxAri6If0LecJDFqs:VcneFJB2irl6UuhzK+NeFxAri6IfmJJq

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

111.119.233.65:80

190.210.184.138:995

51.255.165.160:8080

45.56.79.249:443

163.172.40.218:7080

91.205.215.57:7080

68.183.170.114:8080

190.217.1.149:80

62.75.160.178:8080

200.113.106.18:80

5.196.35.138:7080

89.188.124.145:443

186.23.132.93:990

51.15.8.192:8080

190.38.14.52:80

217.199.160.224:8080

207.154.204.40:8080

142.93.114.137:8080

94.183.71.206:7080

190.104.253.234:990

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

builderconman.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	builderconman.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

builderconman.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	builderconman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	builderconman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionReason = "1"	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	builderconman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	builderconman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	builderconman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadNetworkName = "Network 3"	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b	builderconman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	builderconman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	builderconman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecision = "0"	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\42-35-df-dc-3d-6b	builderconman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecision = "0"	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	builderconman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}	builderconman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionReason = "1"	builderconman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = 20e12d936fabda01	builderconman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = 20e12d936fabda01	builderconman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	builderconman.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

builderconman.exe

pid process

2612 builderconman.exe
2612 builderconman.exe
2612 builderconman.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

pid process

1876 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

pid	process
2612	builderconman.exe
2612	builderconman.exe
2612	builderconman.exe

pid	process
1876	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe631545bb910def12263fbd08ad675d6e_JaffaCakes118.exebuilderconman.exebuilderconman.exe

pid	process
2256	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
2256	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
1876	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
1876	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
2528	builderconman.exe
2528	builderconman.exe
2612	builderconman.exe
2612	builderconman.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exebuilderconman.exe

description	pid	process	target process
PID 2256 wrote to memory of 1876	2256	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 2256 wrote to memory of 1876	2256	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 2256 wrote to memory of 1876	2256	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 2256 wrote to memory of 1876	2256	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 2528 wrote to memory of 2612	2528	builderconman.exe	builderconman.exe
PID 2528 wrote to memory of 2612	2528	builderconman.exe	builderconman.exe
PID 2528 wrote to memory of 2612	2528	builderconman.exe	builderconman.exe
PID 2528 wrote to memory of 2612	2528	builderconman.exe	builderconman.exe

C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
  --1971609f
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:1876

C:\Windows\SysWOW64\builderconman.exe
"C:\Windows\SysWOW64\builderconman.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\builderconman.exe
  --1b0fa829
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-6-0x0000000000300000-0x0000000000317000-memory.dmp

Filesize
92KB

Download
memory/1876-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2256-0-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/2256-5-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2528-11-0x0000000000970000-0x0000000000987000-memory.dmp

Filesize
92KB

Download
memory/2612-17-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads