emotet | 0191b05e5ce7e3b5fe92a3326ca74493be9fd9d8e31bdaefa68cbc5c9b6f62e7

General

Target

63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
Size

172KB
MD5

63cca393ab309282e416f7a1dcb97dd6
SHA1

adf92dfee2d96be5186c5e3c4f449a00970a8998
SHA256

0191b05e5ce7e3b5fe92a3326ca74493be9fd9d8e31bdaefa68cbc5c9b6f62e7
SHA512

9dae69df205094ef5c11b560db204385db139d4b880b4ef28872bcf7b8248b6bd8e1af62ef62092a9986d9a67132e8b9c2ddc9b8aafe146173ea6a1e51202497
SSDEEP

3072:dwa+jvXl2YCdruDD9jiWC4dzopFFICWY86bIWLu4Nrme/1Z7:jYl7WrOiWa1

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exeissearcon.exeissearcon.exe

pid	process
2380	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
2380	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
2076	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
2076	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
3132	issearcon.exe
3132	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe
212	issearcon.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe

pid process

2076 63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe

pid	process
2076	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exeissearcon.exe

description	pid	process	target process
PID 2380 wrote to memory of 2076	2380	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
PID 2380 wrote to memory of 2076	2380	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
PID 2380 wrote to memory of 2076	2380	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe	63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
PID 3132 wrote to memory of 212	3132	issearcon.exe	issearcon.exe
PID 3132 wrote to memory of 212	3132	issearcon.exe	issearcon.exe
PID 3132 wrote to memory of 212	3132	issearcon.exe	issearcon.exe

C:\Users\Admin\AppData\Local\Temp\63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63cca393ab309282e416f7a1dcb97dd6_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2076

C:\Windows\SysWOW64\issearcon.exe
"C:\Windows\SysWOW64\issearcon.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\issearcon.exe
"C:\Windows\SysWOW64\issearcon.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2996 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-27-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/212-33-0x0000000000A50000-0x0000000000A6A000-memory.dmp

Filesize
104KB

Download
memory/212-23-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/212-28-0x0000000000A50000-0x0000000000A6A000-memory.dmp

Filesize
104KB

Download
memory/212-29-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download
memory/2076-7-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/2076-13-0x00000000020B0000-0x00000000020D0000-memory.dmp

Filesize
128KB

Download
memory/2076-12-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/2076-32-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/2076-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2076-11-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/2380-6-0x00000000021F0000-0x0000000002210000-memory.dmp

Filesize
128KB

Download
memory/2380-14-0x00000000021B0000-0x00000000021CA000-memory.dmp

Filesize
104KB

Download
memory/2380-1-0x00000000021D0000-0x00000000021EA000-memory.dmp

Filesize
104KB

Download
memory/2380-5-0x00000000021D0000-0x00000000021EA000-memory.dmp

Filesize
104KB

Download
memory/2380-0-0x00000000021B0000-0x00000000021CA000-memory.dmp

Filesize
104KB

Download
memory/3132-22-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download
memory/3132-16-0x0000000000D50000-0x0000000000D6A000-memory.dmp

Filesize
104KB

Download
memory/3132-30-0x0000000000D30000-0x0000000000D4A000-memory.dmp

Filesize
104KB

Download
memory/3132-20-0x0000000000D50000-0x0000000000D6A000-memory.dmp

Filesize
104KB

Download
memory/3132-21-0x0000000000D30000-0x0000000000D4A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing