emotet | 00b8d306a8328ed3bb0693ef756ea4d494af85c7af19be0d8d5306f32d20282c

General

Target

69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
Size

152KB
MD5

69e783c15eae02db57c599d15e4cf81e
SHA1

a27a634690f5d2fafe0efa669e4fe6aef47b34ed
SHA256

00b8d306a8328ed3bb0693ef756ea4d494af85c7af19be0d8d5306f32d20282c
SHA512

2c415df46eb5aca6633a622be89125527b7c57564af57862fd745641bed7bd29948ee24fb0f11a51207908a5d3a6c97fc05957f269428dc6fe29afb02081bf7c
SSDEEP

3072:S9rigXIEIK7f5cLhYK1P6U87XhrYaYSgmD/28P5Eb5JXfkY:S9rigXRIKDGd1P6d7RYaYED/2s2v

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

startedtuip.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	startedtuip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 18 IoCs

Processes:

startedtuip.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1	startedtuip.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = 90a62b5ad3acda01	startedtuip.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	startedtuip.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	startedtuip.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	startedtuip.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}	startedtuip.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecision = "0"	startedtuip.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	startedtuip.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	startedtuip.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadNetworkName = "Network 2"	startedtuip.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionReason = "1"	startedtuip.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	startedtuip.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	startedtuip.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecisionReason = "1"	startedtuip.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0"	startedtuip.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	startedtuip.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecisionTime = 90a62b5ad3acda01	startedtuip.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1	startedtuip.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exestartedtuip.exestartedtuip.exe

pid	process
1556	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
1628	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
2880	startedtuip.exe
2656	startedtuip.exe
2656	startedtuip.exe
2656	startedtuip.exe
2656	startedtuip.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe

pid process

1628 69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe

pid	process
1628	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exestartedtuip.exe

description	pid	process	target process
PID 1556 wrote to memory of 1628	1556	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
PID 1556 wrote to memory of 1628	1556	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
PID 1556 wrote to memory of 1628	1556	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
PID 1556 wrote to memory of 1628	1556	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe	69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
PID 2880 wrote to memory of 2656	2880	startedtuip.exe	startedtuip.exe
PID 2880 wrote to memory of 2656	2880	startedtuip.exe	startedtuip.exe
PID 2880 wrote to memory of 2656	2880	startedtuip.exe	startedtuip.exe
PID 2880 wrote to memory of 2656	2880	startedtuip.exe	startedtuip.exe

C:\Users\Admin\AppData\Local\Temp\69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69e783c15eae02db57c599d15e4cf81e_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1628

C:\Windows\SysWOW64\startedtuip.exe
"C:\Windows\SysWOW64\startedtuip.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\startedtuip.exe
"C:\Windows\SysWOW64\startedtuip.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-0-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/1556-4-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/1556-6-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/1556-5-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/1628-12-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/1628-27-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1628-28-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/2656-25-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/2656-29-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/2880-18-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/2880-19-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2880-26-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/2880-13-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/2880-17-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads