emotet | 52d4dafbcfae960f9c56c22dd3013b33747410cc14d384ae26caaae26f7e74c5

General

Target

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
Size

136KB
MD5

648fdc19f6c9edca30a8f9a756234699
SHA1

321f822bb486dccfad216ff2b2a40e4112637a4f
SHA256

52d4dafbcfae960f9c56c22dd3013b33747410cc14d384ae26caaae26f7e74c5
SHA512

ae2a2a284424412d9d85d55beddc3d90bf8b193f625accf779e04360f73857d96dcd39d228d9e6a3004da1c52bc0afe3b291976244364f612819132230186c32
SSDEEP

3072:Fkh20/12+YvN69kc10oF+RDINn6j9DyIK3cIRV0x2IY:Fkh20/12+Y8Kc13kDYn6jdyIK3PV0J

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 148.103.9.108
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc
Destination IP	148.103.9.108

Modifies Control Panel 2 IoCs

evasion

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

wordpadidl.exewordpadidl.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\PowerCfg	wordpadidl.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\PowerCfg	wordpadidl.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exewordpadidl.exewordpadidl.exe

pid	process
1592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
1592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
4592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
4592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
3896	wordpadidl.exe
3896	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe
3948	wordpadidl.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

pid process

4592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

pid	process
4592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exewordpadidl.exe

description	pid	process	target process
PID 1592 wrote to memory of 4592	1592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 1592 wrote to memory of 4592	1592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 1592 wrote to memory of 4592	1592	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe	648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
PID 3896 wrote to memory of 3948	3896	wordpadidl.exe	wordpadidl.exe
PID 3896 wrote to memory of 3948	3896	wordpadidl.exe	wordpadidl.exe
PID 3896 wrote to memory of 3948	3896	wordpadidl.exe	wordpadidl.exe

C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"
1⤵
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"
2⤵
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4592

C:\Windows\SysWOW64\wordpadidl.exe
"C:\Windows\SysWOW64\wordpadidl.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\wordpadidl.exe
"C:\Windows\SysWOW64\wordpadidl.exe"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1592-0-0x0000000001120000-0x000000000113A000-memory.dmp

Filesize
104KB

Download
memory/1592-5-0x00000000028F0000-0x0000000002908000-memory.dmp

Filesize
96KB

Download
memory/1592-4-0x0000000001100000-0x000000000111A000-memory.dmp

Filesize
104KB

Download
memory/3896-24-0x0000000001050000-0x000000000106A000-memory.dmp

Filesize
104KB

Download
memory/3896-12-0x0000000001460000-0x000000000147A000-memory.dmp

Filesize
104KB

Download
memory/3896-17-0x0000000001480000-0x0000000001498000-memory.dmp

Filesize
96KB

Download
memory/3896-16-0x0000000001050000-0x000000000106A000-memory.dmp

Filesize
104KB

Download
memory/3948-18-0x0000000000ED0000-0x0000000000EEA000-memory.dmp

Filesize
104KB

Download
memory/3948-23-0x0000000000EF0000-0x0000000000F08000-memory.dmp

Filesize
96KB

Download
memory/3948-22-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/3948-27-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/4592-10-0x00000000012E0000-0x00000000012FA000-memory.dmp

Filesize
104KB

Download
memory/4592-11-0x0000000001320000-0x0000000001338000-memory.dmp

Filesize
96KB

Download
memory/4592-6-0x0000000001300000-0x000000000131A000-memory.dmp

Filesize
104KB

Download
memory/4592-25-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/4592-26-0x00000000012E0000-0x00000000012FA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads