emotet | f478208ceeb20cc093d38b1c1a670ae535ba3a6b8b2b0cf68f9f39ab1208531a

General

Target

640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
Size

102KB
MD5

640f2a05a264b6897ed17f0edb228ed4
SHA1

074b1a2ad44bd169cbab2454bd5ddc9ab1194ee2
SHA256

f478208ceeb20cc093d38b1c1a670ae535ba3a6b8b2b0cf68f9f39ab1208531a
SHA512

2cb7bcc943726422d4e0121c4a05256ba371a412094fb8bc6172752e46181ff12e426d54ea4ef8a8f1903842533f9d455db28a3afb968fda4031d069e5df1dad
SSDEEP

3072:pWzSlLzc1hIOBWL/FWes1qqdPPqDRR2GdF5cb:pflGrMLtEDnqDz7d

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

WarningSnippets.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	WarningSnippets.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	WarningSnippets.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	WarningSnippets.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	WarningSnippets.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

WarningSnippets.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WarningSnippets.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WarningSnippets.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WarningSnippets.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

WarningSnippets.exe

pid process

3608 WarningSnippets.exe
3608 WarningSnippets.exe
3608 WarningSnippets.exe
3608 WarningSnippets.exe
3608 WarningSnippets.exe
3608 WarningSnippets.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe

pid process

4256 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe

pid	process
3608	WarningSnippets.exe
3608	WarningSnippets.exe
3608	WarningSnippets.exe
3608	WarningSnippets.exe
3608	WarningSnippets.exe
3608	WarningSnippets.exe

pid	process
4256	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exeWarningSnippets.exe

description	pid	process	target process
PID 4336 wrote to memory of 4256	4336	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 4336 wrote to memory of 4256	4336	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 4336 wrote to memory of 4256	4336	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe	640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
PID 4260 wrote to memory of 3608	4260	WarningSnippets.exe	WarningSnippets.exe
PID 4260 wrote to memory of 3608	4260	WarningSnippets.exe	WarningSnippets.exe
PID 4260 wrote to memory of 3608	4260	WarningSnippets.exe	WarningSnippets.exe

C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"
2⤵
- Suspicious behavior: RenamesItself
PID:4256

C:\Windows\SysWOW64\WarningSnippets.exe
C:\Windows\SysWOW64\WarningSnippets.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\WarningSnippets.exe
"C:\Windows\SysWOW64\WarningSnippets.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3608-22-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/3608-32-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/3608-23-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/3608-28-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/3608-27-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/4256-30-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/4256-31-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/4256-13-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/4256-12-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/4256-11-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/4256-7-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/4260-15-0x00000000014D0000-0x00000000014DE000-memory.dmp

Filesize
56KB

Download
memory/4260-20-0x0000000001330000-0x000000000133E000-memory.dmp

Filesize
56KB

Download
memory/4260-21-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/4260-29-0x0000000001330000-0x000000000133E000-memory.dmp

Filesize
56KB

Download
memory/4260-19-0x00000000014D0000-0x00000000014DE000-memory.dmp

Filesize
56KB

Download
memory/4336-0-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/4336-14-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/4336-6-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/4336-5-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/4336-1-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads