emotet | 5eb04aa52a362039ab1dcaa0375179fb77accc4436b52d34098dc16f7ac20bbe

General

Target

6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
Size

207KB
MD5

6b1a55d07f9da1278d95263da7379a04
SHA1

a8a3a79284d65470ec7551ced9f1efb2f12ede33
SHA256

5eb04aa52a362039ab1dcaa0375179fb77accc4436b52d34098dc16f7ac20bbe
SHA512

db89c98a7b8fbfbdf27ee2520595a257914e1a2ac4a2bcdbbb3ac54d13a52c9de3f216365a57202ec7453fea4b9954e95f94ce9d4dfb90eda19f1fd12fbe34c3
SSDEEP

3072:wtK8sN3+yM6f0tH5KWR8iIKyVppK3kQIzltJ0WZGvZxiCcWMKj1NPjeV:wo5MyStjRDybMkQAovZx+bG1Ng

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

wordpadadmin.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wordpadadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

wordpadadmin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadNetworkName = "Network 3"	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44	wordpadadmin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}	wordpadadmin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\c6-5a-ef-ec-97-44	wordpadadmin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44\WpadDecisionReason = "1"	wordpadadmin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44\WpadDecision = "0"	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wordpadadmin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wordpadadmin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wordpadadmin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wordpadadmin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecisionReason = "1"	wordpadadmin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecisionTime = 40ed800120aeda01	wordpadadmin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecision = "0"	wordpadadmin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wordpadadmin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wordpadadmin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wordpadadmin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44\WpadDecisionTime = 40ed800120aeda01	wordpadadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wordpadadmin.exe

pid process

2668 wordpadadmin.exe
2668 wordpadadmin.exe
2668 wordpadadmin.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe

pid process

3004 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe

pid	process
2668	wordpadadmin.exe
2668	wordpadadmin.exe
2668	wordpadadmin.exe

pid	process
3004	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exewordpadadmin.exewordpadadmin.exe

pid	process
1580	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
3004	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
2612	wordpadadmin.exe
2668	wordpadadmin.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exewordpadadmin.exe

description	pid	process	target process
PID 1580 wrote to memory of 3004	1580	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
PID 1580 wrote to memory of 3004	1580	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
PID 1580 wrote to memory of 3004	1580	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
PID 1580 wrote to memory of 3004	1580	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe	6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
PID 2612 wrote to memory of 2668	2612	wordpadadmin.exe	wordpadadmin.exe
PID 2612 wrote to memory of 2668	2612	wordpadadmin.exe	wordpadadmin.exe
PID 2612 wrote to memory of 2668	2612	wordpadadmin.exe	wordpadadmin.exe
PID 2612 wrote to memory of 2668	2612	wordpadadmin.exe	wordpadadmin.exe

C:\Users\Admin\AppData\Local\Temp\6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
--81101446
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:3004

C:\Windows\SysWOW64\wordpadadmin.exe
"C:\Windows\SysWOW64\wordpadadmin.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\wordpadadmin.exe
--3b916578
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-0-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1580-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1580-1-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2612-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2668-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3004-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3004-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads