emotet | 6f0c43533bca3f99699a76fcdce14e7a87290aa035e8da9180ffcfb483810e78

General

Target

82fcee092b605521ad84765368975204_JaffaCakes118.exe
Size

240KB
MD5

82fcee092b605521ad84765368975204
SHA1

6c6247c06c4924bb6a3a0745551a622948fdb35e
SHA256

6f0c43533bca3f99699a76fcdce14e7a87290aa035e8da9180ffcfb483810e78
SHA512

8dc9755d7d81f9c14c3a5abafc38f3bc405940ca6ee94ed48a0bed1c6bdb46056f004f4a728ad333afbab1bc030cad59e1bc83a6b41a87477db65cc437865897
SSDEEP

6144:s7lDAB0NEKts6sUnmWpe6vTgJQ/5867T3EovpVAN9DaYVEuBOCBuWNmT2KIZOi7e:0l0B0WKtsnWprTV

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

190.217.1.149:80

154.120.227.206:8080

45.56.79.249:443

163.172.40.218:7080

79.143.182.254:8080

190.230.60.129:8080

46.28.111.142:7080

190.182.161.7:8080

186.68.141.218:80

201.163.74.202:443

62.75.143.100:7080

200.57.102.71:8443

41.75.135.93:7080

119.159.150.176:443

46.41.151.103:8080

178.79.163.131:8080

190.10.194.42:8080

104.131.58.132:8080

200.113.106.18:80

186.15.57.7:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

lclterm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	lclterm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	lclterm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	lclterm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	lclterm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

lclterm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	lclterm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	lclterm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	lclterm.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

lclterm.exe

pid	process
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe
1496	lclterm.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

82fcee092b605521ad84765368975204_JaffaCakes118.exe

pid process

1848 82fcee092b605521ad84765368975204_JaffaCakes118.exe

pid	process
1848	82fcee092b605521ad84765368975204_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

82fcee092b605521ad84765368975204_JaffaCakes118.exelclterm.exe

description	pid	process	target process
PID 2280 wrote to memory of 1848	2280	82fcee092b605521ad84765368975204_JaffaCakes118.exe	82fcee092b605521ad84765368975204_JaffaCakes118.exe
PID 2280 wrote to memory of 1848	2280	82fcee092b605521ad84765368975204_JaffaCakes118.exe	82fcee092b605521ad84765368975204_JaffaCakes118.exe
PID 2280 wrote to memory of 1848	2280	82fcee092b605521ad84765368975204_JaffaCakes118.exe	82fcee092b605521ad84765368975204_JaffaCakes118.exe
PID 4424 wrote to memory of 1496	4424	lclterm.exe	lclterm.exe
PID 4424 wrote to memory of 1496	4424	lclterm.exe	lclterm.exe
PID 4424 wrote to memory of 1496	4424	lclterm.exe	lclterm.exe

C:\Users\Admin\AppData\Local\Temp\82fcee092b605521ad84765368975204_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82fcee092b605521ad84765368975204_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\82fcee092b605521ad84765368975204_JaffaCakes118.exe
  --b4d2a7f2
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1848

C:\Windows\SysWOW64\lclterm.exe
"C:\Windows\SysWOW64\lclterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\lclterm.exe
  --35fb2cd7
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\151006038beb3d5e9a4e1db2e6315db6_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
50B

MD5
2219ed8c4461bbee47dc0ac045013700

SHA1
f537ff444a352845422abf004e0087645f903a44

SHA256
a2291a4fcb3343cdfad5d198bdc7dd62af09605c264681fa26ed79cecb53c01e

SHA512
74026b6cb0f530e6acc0681ac68b990ca68f7baca7244b2954799b3556ee98c88f8d63092863cd391d1851b6e10795f54252da34a5d25da3911779891f8cb822

Download Submit
memory/1496-21-0x0000000000700000-0x0000000000717000-memory.dmp

Filesize
92KB

Download
memory/1496-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1848-7-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/1848-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2280-0-0x00000000006B0000-0x00000000006C7000-memory.dmp

Filesize
92KB

Download
memory/2280-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2280-6-0x0000000000690000-0x00000000006A1000-memory.dmp

Filesize
68KB

Download
memory/4424-13-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/4424-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads