emotet | 8ac484407e6f7e10e97b5b32f72494cf0099ad3b7a1c2ed6f09b6856a963fd8b

General

Target

6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
Size

425KB
MD5

6382e60479cb0ab0cf9fbf6b456d5580
SHA1

62fba9c60d2374a9d1d300638795ac0fc8297c98
SHA256

8ac484407e6f7e10e97b5b32f72494cf0099ad3b7a1c2ed6f09b6856a963fd8b
SHA512

09367269f7668f004e0b5ea4d1235a39439d0893c58cf2f6db09ece2fae1c4a04051fe19049c8054a726e58f5876a338ce01216e9dbd84fbe25372f17cf487d9
SSDEEP

6144:6riTApO8CLavbVUGXjDsDaKaIwLnhc/WGLeGFL7h11UOvTmgyyyyyyyyyyyyyyyg:DGXqzacuGfFxUO7mQDi+6Y

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

186.159.246.121:80

201.210.70.8:8080

46.105.131.68:8080

192.163.221.191:8080

124.150.175.133:80

5.189.148.98:8080

95.216.207.86:7080

189.145.6.189:80

212.112.113.235:80

187.143.219.242:8080

189.132.130.111:8080

190.96.118.15:443

190.217.1.149:80

172.104.70.207:8080

42.190.4.92:443

152.170.220.95:80

203.99.188.11:443

216.75.37.196:8080

190.55.39.215:80

185.45.24.254:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Loads dropped DLL 4 IoCs

Processes:

6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exeknownmisc.exeknownmisc.exe

pid	process
2300	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
1948	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
2664	knownmisc.exe
2660	knownmisc.exe

Drops file in System32 directory 1 IoCs

Processes:

knownmisc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	knownmisc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

knownmisc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	knownmisc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	knownmisc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionTime = 20de08f085abda01	knownmisc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecision = "0"	knownmisc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionTime = 20de08f085abda01	knownmisc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	knownmisc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	knownmisc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	knownmisc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionReason = "1"	knownmisc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadNetworkName = "Network 3"	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	knownmisc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\fa-f4-8d-33-a9-5b	knownmisc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionReason = "1"	knownmisc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecision = "0"	knownmisc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	knownmisc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	knownmisc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

knownmisc.exe

pid process

2660 knownmisc.exe
2660 knownmisc.exe
2660 knownmisc.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe

pid process

1948 6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe

pid	process
2660	knownmisc.exe
2660	knownmisc.exe
2660	knownmisc.exe

pid	process
1948	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exeknownmisc.exe

description	pid	process	target process
PID 2300 wrote to memory of 1948	2300	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
PID 2300 wrote to memory of 1948	2300	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
PID 2300 wrote to memory of 1948	2300	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
PID 2300 wrote to memory of 1948	2300	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe	6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
PID 2664 wrote to memory of 2660	2664	knownmisc.exe	knownmisc.exe
PID 2664 wrote to memory of 2660	2664	knownmisc.exe	knownmisc.exe
PID 2664 wrote to memory of 2660	2664	knownmisc.exe	knownmisc.exe
PID 2664 wrote to memory of 2660	2664	knownmisc.exe	knownmisc.exe

C:\Users\Admin\AppData\Local\Temp\6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\6382e60479cb0ab0cf9fbf6b456d5580_JaffaCakes118.exe
--efeeb35f
2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
PID:1948

C:\Windows\SysWOW64\knownmisc.exe
"C:\Windows\SysWOW64\knownmisc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\knownmisc.exe
--ebfacbc5
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\xcsdwrsdk.dtxsd
Filesize
252KB

MD5
26820af6ed368c501d3196bfbe832fa6

SHA1
b45a46d2a0850179232225739cd958a8cf9b7100

SHA256
566cc0006fa210dcfdc0f56600d8a6da99d5803b3cab5a83eccad95d1c75c94e

SHA512
ee5221d379f03f643708757ba8d6c86f805cf555dbca7ccd484f00129ed2933e1ef3b9cca8831db1b05f03b10f5e6f2fc775663d65bc72977e7c0177855b178a

Download Submit
memory/1948-14-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download
memory/1948-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2300-11-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/2300-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2300-5-0x00000000006D0000-0x00000000006E7000-memory.dmp

Filesize
92KB

Download
memory/2660-28-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/2660-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2664-20-0x0000000001120000-0x0000000001137000-memory.dmp

Filesize
92KB

Download
memory/2664-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads