emotet | 2091a24d7e03980bcd3f18b5a71ca87a93e4f4382810de2ad817086c626d3505

General

Target

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
Size

551KB
MD5

631545bb910def12263fbd08ad675d6e
SHA1

685fe2a44c4d2d803ec605b1e03ddec3e65e2a19
SHA256

2091a24d7e03980bcd3f18b5a71ca87a93e4f4382810de2ad817086c626d3505
SHA512

fb38ac528a5f53ccb2dde9310f6166a5560e2d4089f2106f48983a49efa9b2ae6574f5385f238aa08b9355a5180004548b210a2459d6b191185b4b0cd7b7fe9e
SSDEEP

12288:JjVeneMEuEB2ZVirlydPUGUuhshCK+NeFxAri6If0LecJDFqs:VcneFJB2irl6UuhzK+NeFxAri6IfmJJq

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

111.119.233.65:80

190.210.184.138:995

51.255.165.160:8080

45.56.79.249:443

163.172.40.218:7080

91.205.215.57:7080

68.183.170.114:8080

190.217.1.149:80

62.75.160.178:8080

200.113.106.18:80

5.196.35.138:7080

89.188.124.145:443

186.23.132.93:990

51.15.8.192:8080

190.38.14.52:80

217.199.160.224:8080

207.154.204.40:8080

142.93.114.137:8080

94.183.71.206:7080

190.104.253.234:990

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

pollerpdeft.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pollerpdeft.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pollerpdeft.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pollerpdeft.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pollerpdeft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

pollerpdeft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pollerpdeft.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pollerpdeft.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pollerpdeft.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

pollerpdeft.exe

pid	process
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

pid process

3924 631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

pid	process
3924	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe631545bb910def12263fbd08ad675d6e_JaffaCakes118.exepollerpdeft.exepollerpdeft.exe

pid	process
4916	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
4916	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
3924	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
3924	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
3248	pollerpdeft.exe
3248	pollerpdeft.exe
2836	pollerpdeft.exe
2836	pollerpdeft.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

631545bb910def12263fbd08ad675d6e_JaffaCakes118.exepollerpdeft.exe

description	pid	process	target process
PID 4916 wrote to memory of 3924	4916	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 4916 wrote to memory of 3924	4916	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 4916 wrote to memory of 3924	4916	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe	631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
PID 3248 wrote to memory of 2836	3248	pollerpdeft.exe	pollerpdeft.exe
PID 3248 wrote to memory of 2836	3248	pollerpdeft.exe	pollerpdeft.exe
PID 3248 wrote to memory of 2836	3248	pollerpdeft.exe	pollerpdeft.exe

C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\631545bb910def12263fbd08ad675d6e_JaffaCakes118.exe
--1971609f
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\SysWOW64\pollerpdeft.exe
"C:\Windows\SysWOW64\pollerpdeft.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\pollerpdeft.exe
--1847e9e9
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\01edac8cae020cd42786e051ebe37b67_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
Filesize
50B

MD5
5f22af36aff2e43cacf9a56ba4166900

SHA1
914ede992f5edd5523a3a127a88f7bca60c69665

SHA256
e0671a7dbf4fca7d937ff1300471c5823a57786710faba9f85daf9e843281e3a

SHA512
f7fd666c6dcdae2bf235bb2b00791cf00519579e3181e5e3fd67e70c9a4027d48335b6498f6116efa5e513b7750b0eebeb484a63555d277939923bb48d4f3bc8

Download Submit
memory/2836-19-0x0000000000E60000-0x0000000000E77000-memory.dmp

Filesize
92KB

Download
memory/3248-12-0x0000000000EC0000-0x0000000000ED7000-memory.dmp

Filesize
92KB

Download
memory/3924-6-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/3924-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4916-5-0x0000000002160000-0x0000000002171000-memory.dmp

Filesize
68KB

Download
memory/4916-0-0x0000000003C50000-0x0000000003C67000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads