emotet | e9b0ae0a043e8f451b2d72ffea650eacbc6e7011e945c290b5fe5e1f71c6f9fc

General

Target

6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
Size

180KB
MD5

6b2e8f598b3ea45e75f58a0fbe29def9
SHA1

e2aafcb47d53be4442286e55659fd28a17467fb8
SHA256

e9b0ae0a043e8f451b2d72ffea650eacbc6e7011e945c290b5fe5e1f71c6f9fc
SHA512

e4ece6dc8ba2194a0901531f23608f206223b8aad7468413d5f65f93021c26c1077a91968fbb2662aecbd7baab5468a8f7944f22083c3d0fbdf980d65f6a9882
SSDEEP

3072:2n9ENCFkPh0fw+eff2ktl4eqGZNdCkGEaFaB/8Qeko7qLueL+:AqPh0Deffn7qGRvHom+

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

lookputil.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	lookputil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 22 IoCs

Processes:

lookputil.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-7c-e5-e2-85-ce\WpadDecisionReason = "1"	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}	lookputil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}\WpadNetworkName = "Network 3"	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}\16-7c-e5-e2-85-ce	lookputil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-7c-e5-e2-85-ce\WpadDetectedUrl	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}\WpadDecisionTime = d0def2551aadda01	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-7c-e5-e2-85-ce\WpadDecisionTime = d0def2551aadda01	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}\WpadDecisionTime = d05ea4ab1aadda01	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	lookputil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}\WpadDecisionReason = "1"	lookputil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3E403E90-F009-4033-8306-D831E368A89F}\WpadDecision = "0"	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-7c-e5-e2-85-ce	lookputil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-7c-e5-e2-85-ce\WpadDecision = "0"	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-7c-e5-e2-85-ce\WpadDecisionTime = d05ea4ab1aadda01	lookputil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	lookputil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	lookputil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	lookputil.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exelookputil.exelookputil.exe

pid	process
2172	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
1032	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
2624	lookputil.exe
2800	lookputil.exe
2800	lookputil.exe
2800	lookputil.exe
2800	lookputil.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe

pid process

1032 6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe

pid	process
1032	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exelookputil.exe

description	pid	process	target process
PID 2172 wrote to memory of 1032	2172	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
PID 2172 wrote to memory of 1032	2172	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
PID 2172 wrote to memory of 1032	2172	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
PID 2172 wrote to memory of 1032	2172	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe	6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
PID 2624 wrote to memory of 2800	2624	lookputil.exe	lookputil.exe
PID 2624 wrote to memory of 2800	2624	lookputil.exe	lookputil.exe
PID 2624 wrote to memory of 2800	2624	lookputil.exe	lookputil.exe
PID 2624 wrote to memory of 2800	2624	lookputil.exe	lookputil.exe

C:\Users\Admin\AppData\Local\Temp\6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b2e8f598b3ea45e75f58a0fbe29def9_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1032

C:\Windows\SysWOW64\lookputil.exe
"C:\Windows\SysWOW64\lookputil.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\lookputil.exe
"C:\Windows\SysWOW64\lookputil.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-28-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1032-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2172-6-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2172-5-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2172-4-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2172-0-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2172-12-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2624-26-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2624-18-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2624-17-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2624-13-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2800-23-0x00000000004F0000-0x0000000000507000-memory.dmp

Filesize
92KB

Download
memory/2800-19-0x00000000004F0000-0x0000000000507000-memory.dmp

Filesize
92KB

Download
memory/2800-25-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/2800-24-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/2800-29-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads