emotet | f478208ceeb20cc093d38b1c1a670ae535ba3a6b8b2b0cf68f9f39ab1208531a

General

Target

640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
Size

102KB
MD5

640f2a05a264b6897ed17f0edb228ed4
SHA1

074b1a2ad44bd169cbab2454bd5ddc9ab1194ee2
SHA256

f478208ceeb20cc093d38b1c1a670ae535ba3a6b8b2b0cf68f9f39ab1208531a
SHA512

2cb7bcc943726422d4e0121c4a05256ba371a412094fb8bc6172752e46181ff12e426d54ea4ef8a8f1903842533f9d455db28a3afb968fda4031d069e5df1dad
SSDEEP

3072:pWzSlLzc1hIOBWL/FWes1qqdPPqDRR2GdF5cb:pflGrMLtEDnqDz7d

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

TrustInterop.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	TrustInterop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

TrustInterop.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionTime = 60c07f69a0abda01	TrustInterop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionReason = "1"	TrustInterop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecision = "0"	TrustInterop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	TrustInterop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	TrustInterop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	TrustInterop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0034000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}	TrustInterop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadNetworkName = "Network 3"	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e	TrustInterop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	TrustInterop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	TrustInterop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionReason = "1"	TrustInterop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecision = "0"	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\8e-88-f3-84-af-8e	TrustInterop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionTime = 60c07f69a0abda01	TrustInterop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	TrustInterop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	TrustInterop.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TrustInterop.exe

pid process

2632 TrustInterop.exe
2632 TrustInterop.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe

pid process

3044 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe

pid	process
2632	TrustInterop.exe
2632	TrustInterop.exe

pid	process
3044	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exeTrustInterop.exe

description	pid	process	target process
PID 1768 wrote to memory of 3044	1768	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 1768 wrote to memory of 3044	1768	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 1768 wrote to memory of 3044	1768	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 1768 wrote to memory of 3044	1768	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 2752 wrote to memory of 2632	2752	TrustInterop.exe	TrustInterop.exe
PID 2752 wrote to memory of 2632	2752	TrustInterop.exe	TrustInterop.exe
PID 2752 wrote to memory of 2632	2752	TrustInterop.exe	TrustInterop.exe
PID 2752 wrote to memory of 2632	2752	TrustInterop.exe	TrustInterop.exe

C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"
2⤵
- Suspicious behavior: RenamesItself
PID:3044

C:\Windows\SysWOW64\TrustInterop.exe
C:\Windows\SysWOW64\TrustInterop.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\TrustInterop.exe
"C:\Windows\SysWOW64\TrustInterop.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-14-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1768-6-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1768-1-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/1768-5-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/1768-0-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2632-30-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/2752-21-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/2752-15-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/2752-16-0x0000000000110000-0x000000000011E000-memory.dmp

Filesize
56KB

Download
memory/2752-20-0x0000000000110000-0x000000000011E000-memory.dmp

Filesize
56KB

Download
memory/2752-27-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/3044-13-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/3044-8-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/3044-12-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/3044-29-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/3044-28-0x00000000010D0000-0x00000000010F0000-memory.dmp

Filesize
128KB

Download
memory/3044-7-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads