emotet | 52d4dafbcfae960f9c56c22dd3013b33747410cc14d384ae26caaae26f7e74c5

General

Target

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
Size

136KB
MD5

648fdc19f6c9edca30a8f9a756234699
SHA1

321f822bb486dccfad216ff2b2a40e4112637a4f
SHA256

52d4dafbcfae960f9c56c22dd3013b33747410cc14d384ae26caaae26f7e74c5
SHA512

ae2a2a284424412d9d85d55beddc3d90bf8b193f625accf779e04360f73857d96dcd39d228d9e6a3004da1c52bc0afe3b291976244364f612819132230186c32
SSDEEP

3072:Fkh20/12+YvN69kc10oF+RDINn6j9DyIK3cIRV0x2IY:Fkh20/12+Y8Kc13kDYn6jdyIK3PV0J

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 148.103.9.108
Destination IP 148.103.9.108

description	ioc
Destination IP	148.103.9.108
Destination IP	148.103.9.108

Drops file in System32 directory 1 IoCs

Processes:

adamavatar.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	adamavatar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\PowerCfg	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\PowerCfg	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

adamavatar.exeadamavatar.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\PowerCfg	adamavatar.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	adamavatar.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0058000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	adamavatar.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadDecisionReason = "1"	adamavatar.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80\WpadDecision = "0"	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	adamavatar.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	adamavatar.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadDecision = "0"	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80	adamavatar.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}	adamavatar.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadDecisionTime = 105d33ddb8abda01	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\ea-a9-87-57-0d-80	adamavatar.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80\WpadDecisionReason = "1"	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\PowerCfg	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	adamavatar.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	adamavatar.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadNetworkName = "Network 3"	adamavatar.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80\WpadDecisionTime = 105d33ddb8abda01	adamavatar.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exeadamavatar.exeadamavatar.exe

pid	process
2916	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
2500	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
2088	adamavatar.exe
2528	adamavatar.exe
2528	adamavatar.exe
2528	adamavatar.exe
2528	adamavatar.exe
2528	adamavatar.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

pid process

2500 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

pid	process
2500	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exeadamavatar.exe

description	pid	process	target process
PID 2916 wrote to memory of 2500	2916	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 2916 wrote to memory of 2500	2916	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 2916 wrote to memory of 2500	2916	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 2916 wrote to memory of 2500	2916	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 2088 wrote to memory of 2528	2088	adamavatar.exe	adamavatar.exe
PID 2088 wrote to memory of 2528	2088	adamavatar.exe	adamavatar.exe
PID 2088 wrote to memory of 2528	2088	adamavatar.exe	adamavatar.exe
PID 2088 wrote to memory of 2528	2088	adamavatar.exe	adamavatar.exe

C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"
1⤵
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"
2⤵
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2500

C:\Windows\SysWOW64\adamavatar.exe
"C:\Windows\SysWOW64\adamavatar.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\adamavatar.exe
"C:\Windows\SysWOW64\adamavatar.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2088-16-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download
memory/2088-12-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2088-17-0x0000000000330000-0x0000000000348000-memory.dmp

Filesize
96KB

Download
memory/2500-4-0x0000000000140000-0x000000000015A000-memory.dmp

Filesize
104KB

Download
memory/2500-11-0x00000000001A0000-0x00000000001B8000-memory.dmp

Filesize
96KB

Download
memory/2500-25-0x0000000000120000-0x000000000013A000-memory.dmp

Filesize
104KB

Download
memory/2500-24-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/2500-10-0x0000000000120000-0x000000000013A000-memory.dmp

Filesize
104KB

Download
memory/2528-18-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2528-23-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/2528-22-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/2528-26-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/2916-0-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download
memory/2916-9-0x0000000000750000-0x0000000000768000-memory.dmp

Filesize
96KB

Download
memory/2916-8-0x0000000000160000-0x000000000017A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads