emotet | eef75298d2250187ed51441c54d781a2c51405b34c55589137616e472ad6374b

General

Target

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
Size

160KB
MD5

685babfac7c83e68bd2f77aa0e7fa2c0
SHA1

c76792be2e10d3ad41cbb706a9c0825a5a90b06e
SHA256

eef75298d2250187ed51441c54d781a2c51405b34c55589137616e472ad6374b
SHA512

5f8dd2fe0c09ddd2567b4f245970b0c736ed6849bb3c6a1e7ab6d52131cf25854f9a765d5a880e1686a7fd6a63ae665eacc4edb6459c5c4ce012b37bbea0fc26
SSDEEP

3072:zPAo6GwlcKWN4NcrhwCB9UjFttCclD9k62FHSrL4wudMHTizCWY86bIWLLNrme/L:DAo6GwlcKxcrGC7UIA9EH2BuaiA

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

shaderwgx.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	shaderwgx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 22 IoCs

Processes:

shaderwgx.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	shaderwgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}\WpadDecisionReason = "1"	shaderwgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}\WpadDecision = "0"	shaderwgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}\WpadNetworkName = "Network 3"	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1e-bf-8a-07-66\WpadDecisionTime = 50f95b447eacda01	shaderwgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1e-bf-8a-07-66\WpadDetectedUrl	shaderwgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1e-bf-8a-07-66\WpadDecision = "0"	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}\WpadDecisionTime = 50204a7a7eacda01	shaderwgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	shaderwgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}\WpadDecisionTime = 50f95b447eacda01	shaderwgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1e-bf-8a-07-66	shaderwgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}\ee-1e-bf-8a-07-66	shaderwgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1e-bf-8a-07-66\WpadDecisionReason = "1"	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	shaderwgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	shaderwgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4305C44B-8317-442B-AF0B-5F45EE59394D}	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1e-bf-8a-07-66\WpadDecisionTime = 50204a7a7eacda01	shaderwgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	shaderwgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	shaderwgx.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exeshaderwgx.exeshaderwgx.exe

pid	process
2184	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
1640	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
2616	shaderwgx.exe
2728	shaderwgx.exe
2728	shaderwgx.exe
2728	shaderwgx.exe
2728	shaderwgx.exe
2728	shaderwgx.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe

pid process

1640 685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe

pid	process
1640	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exeshaderwgx.exe

description	pid	process	target process
PID 2184 wrote to memory of 1640	2184	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 2184 wrote to memory of 1640	2184	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 2184 wrote to memory of 1640	2184	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 2184 wrote to memory of 1640	2184	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe	685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
PID 2616 wrote to memory of 2728	2616	shaderwgx.exe	shaderwgx.exe
PID 2616 wrote to memory of 2728	2616	shaderwgx.exe	shaderwgx.exe
PID 2616 wrote to memory of 2728	2616	shaderwgx.exe	shaderwgx.exe
PID 2616 wrote to memory of 2728	2616	shaderwgx.exe	shaderwgx.exe

C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\685babfac7c83e68bd2f77aa0e7fa2c0_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1640

C:\Windows\SysWOW64\shaderwgx.exe
"C:\Windows\SysWOW64\shaderwgx.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\shaderwgx.exe
"C:\Windows\SysWOW64\shaderwgx.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-29-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1640-13-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1640-12-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1640-9-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1640-5-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1640-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-11-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2184-10-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/2184-0-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2184-4-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2616-15-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2616-19-0x0000000000320000-0x000000000033A000-memory.dmp

Filesize
104KB

Download
memory/2616-20-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/2616-18-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2728-21-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/2728-27-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/2728-26-0x00000000002C0000-0x00000000002DA000-memory.dmp

Filesize
104KB

Download
memory/2728-25-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/2728-30-0x00000000002C0000-0x00000000002DA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads