emotet | a88d8031014957d8f2bbc3d09cf48583cbcbe701b17d714d746dc3d85a8464cf

General

Target

712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
Size

132KB
MD5

712bc394783d08b87c9e2e8723d6ea38
SHA1

94057a04b6c659415b5dde9023447e672fc73726
SHA256

a88d8031014957d8f2bbc3d09cf48583cbcbe701b17d714d746dc3d85a8464cf
SHA512

a2a66d905e7811fbed6b3e8fc0d8fb99a927e19f4de9f3f72f336cf1aea8122180372f9a45bde7ecb7c7e364e6f7b67c22726c74a94798be14cb0f8cfd277fcd
SSDEEP

3072:HvxjJ/je1wTbl0qBIEwRH13C/1hLp85jVfNOiHYugSaLjzywOTpzs0+9e0XenQzS:HN1e1wTbl0qBIEwRH13C/1hLp85jVfNz

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exeaccesselement.exeaccesselement.exe

pid	process
4336	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
4336	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
1384	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
1384	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
3628	accesselement.exe
3628	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe
224	accesselement.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe

pid process

1384 712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe

pid	process
1384	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exeaccesselement.exe

description	pid	process	target process
PID 4336 wrote to memory of 1384	4336	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
PID 4336 wrote to memory of 1384	4336	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
PID 4336 wrote to memory of 1384	4336	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe	712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
PID 3628 wrote to memory of 224	3628	accesselement.exe	accesselement.exe
PID 3628 wrote to memory of 224	3628	accesselement.exe	accesselement.exe
PID 3628 wrote to memory of 224	3628	accesselement.exe	accesselement.exe

C:\Users\Admin\AppData\Local\Temp\712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\712bc394783d08b87c9e2e8723d6ea38_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1384

C:\Windows\SysWOW64\accesselement.exe
"C:\Windows\SysWOW64\accesselement.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\accesselement.exe
"C:\Windows\SysWOW64\accesselement.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/224-28-0x0000000000A60000-0x0000000000A80000-memory.dmp

Filesize
128KB

Download
memory/224-32-0x0000000000A20000-0x0000000000A39000-memory.dmp

Filesize
100KB

Download
memory/224-22-0x0000000000A40000-0x0000000000A59000-memory.dmp

Filesize
100KB

Download
memory/224-26-0x0000000000A40000-0x0000000000A59000-memory.dmp

Filesize
100KB

Download
memory/224-27-0x0000000000A20000-0x0000000000A39000-memory.dmp

Filesize
100KB

Download
memory/1384-7-0x0000000001010000-0x0000000001029000-memory.dmp

Filesize
100KB

Download
memory/1384-11-0x0000000001010000-0x0000000001029000-memory.dmp

Filesize
100KB

Download
memory/1384-12-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/1384-31-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/1384-13-0x0000000001030000-0x0000000001050000-memory.dmp

Filesize
128KB

Download
memory/1384-30-0x0000000000EA0000-0x0000000000EC3000-memory.dmp

Filesize
140KB

Download
memory/3628-15-0x0000000001650000-0x0000000001669000-memory.dmp

Filesize
100KB

Download
memory/3628-20-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/3628-29-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/3628-21-0x0000000001670000-0x0000000001690000-memory.dmp

Filesize
128KB

Download
memory/3628-19-0x0000000001650000-0x0000000001669000-memory.dmp

Filesize
100KB

Download
memory/4336-0-0x00000000024E0000-0x00000000024F9000-memory.dmp

Filesize
100KB

Download
memory/4336-6-0x00000000025F0000-0x0000000002610000-memory.dmp

Filesize
128KB

Download
memory/4336-1-0x00000000025D0000-0x00000000025E9000-memory.dmp

Filesize
100KB

Download
memory/4336-14-0x00000000024E0000-0x00000000024F9000-memory.dmp

Filesize
100KB

Download
memory/4336-5-0x00000000025D0000-0x00000000025E9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing