emotet | 4a8d4ea6f311c7acf3e04c483ab7eb77b5e3de03ca4d15eed503617dc85c19d9

General

Target

6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
Size

745KB
MD5

6460ba70c8fcebef2e34fe04e8f26c46
SHA1

4802926f2471dd7165eda93d9b816f2209fe4a2b
SHA256

4a8d4ea6f311c7acf3e04c483ab7eb77b5e3de03ca4d15eed503617dc85c19d9
SHA512

ba5373c37db21d7d6f5b609414c8c2d3f61e2e460b1002c18de00fce3329432ab78a8b3fd35a99a7c701a746c07527d82672d7cc37c1364d79f42e63493a2df9
SSDEEP

12288:X1iuahDbW+ePQKTguan8z/SbGvfqepaLPvzp8AxNyYVcdYn2n6lT0O3lA:X1iuUXAQK8ulSbGvUntbyYVcdYL6

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

66.229.161.86:443

190.47.236.83:80

217.12.70.226:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

69.30.205.162:7080

95.216.207.86:7080

128.92.54.20:80

185.192.75.240:443

41.77.74.214:443

190.38.252.45:443

124.150.175.129:8080

191.100.24.201:50000

178.134.1.238:80

72.51.153.27:80

210.224.65.117:80

83.156.88.159:80

190.171.135.235:80

100.38.11.243:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

trnsgroup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	trnsgroup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

trnsgroup.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	trnsgroup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	trnsgroup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	trnsgroup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	trnsgroup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadDecisionTime = e04edadcafabda01	trnsgroup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea\WpadDecision = "0"	trnsgroup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	trnsgroup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	trnsgroup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	trnsgroup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}	trnsgroup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	trnsgroup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	trnsgroup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadDecisionReason = "1"	trnsgroup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadDecision = "0"	trnsgroup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadNetworkName = "Network 3"	trnsgroup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\aa-5c-26-3d-aa-ea	trnsgroup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	trnsgroup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	trnsgroup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea	trnsgroup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea\WpadDecisionReason = "1"	trnsgroup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea\WpadDecisionTime = e04edadcafabda01	trnsgroup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

trnsgroup.exe

pid process

2560 trnsgroup.exe
2560 trnsgroup.exe
2560 trnsgroup.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe

pid process

2008 6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe

pid	process
2560	trnsgroup.exe
2560	trnsgroup.exe
2560	trnsgroup.exe

pid	process
2008	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exetrnsgroup.exetrnsgroup.exe

pid	process
1288	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
2008	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
3012	trnsgroup.exe
2560	trnsgroup.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exetrnsgroup.exe

description	pid	process	target process
PID 1288 wrote to memory of 2008	1288	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
PID 1288 wrote to memory of 2008	1288	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
PID 1288 wrote to memory of 2008	1288	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
PID 1288 wrote to memory of 2008	1288	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe	6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
PID 3012 wrote to memory of 2560	3012	trnsgroup.exe	trnsgroup.exe
PID 3012 wrote to memory of 2560	3012	trnsgroup.exe	trnsgroup.exe
PID 3012 wrote to memory of 2560	3012	trnsgroup.exe	trnsgroup.exe
PID 3012 wrote to memory of 2560	3012	trnsgroup.exe	trnsgroup.exe

C:\Users\Admin\AppData\Local\Temp\6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\6460ba70c8fcebef2e34fe04e8f26c46_JaffaCakes118.exe
--51990d51
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\trnsgroup.exe
"C:\Windows\SysWOW64\trnsgroup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\trnsgroup.exe
--333db892
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-0-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1288-5-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2008-6-0x0000000001BF0000-0x0000000001C07000-memory.dmp

Filesize
92KB

Download
memory/2008-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2560-17-0x0000000000360000-0x0000000000377000-memory.dmp

Filesize
92KB

Download
memory/3012-11-0x0000000000270000-0x0000000000287000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads