emotet | 7a2ff8a264c5abdfda9f649bec1fef838000f728a922ca9e938fe6c9c240ff27

General

Target

93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe
Size

180KB
MD5

93e0b7c2503a696023ea625edc7ea579
SHA1

3eaa9d87467f74d4217994ac9154bcd3add91b4d
SHA256

7a2ff8a264c5abdfda9f649bec1fef838000f728a922ca9e938fe6c9c240ff27
SHA512

23e8915f20ceefed4601ca63b9cdeba1d9025c286e603a826f6af471fbe49f7272e2622a9ea70934c0ee2dfc99713f9d8abb03ae174918a4be056baf478ae32a
SSDEEP

1536:x/Yodh1lwPLag6kMgXI4y2+XTB28cq4THu6vNxeVtgvjQQfh+Oo1auDN1AZ/X27t:xQIX4AV6vGVq84hnoJK/ay6BvueT

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	appxcabinet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	appxcabinet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	appxcabinet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	appxcabinet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{974DB7FB-DEA0-4725-ABFC-DE14367C97F5}\WpadDecisionTime = 6079390c49b6da01	appxcabinet.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-17-ac-eb-a0-1b	appxcabinet.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{974DB7FB-DEA0-4725-ABFC-DE14367C97F5}\86-17-ac-eb-a0-1b	appxcabinet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-17-ac-eb-a0-1b\WpadDecision = "0"	appxcabinet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	appxcabinet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-17-ac-eb-a0-1b\WpadDecisionTime = 6079390c49b6da01	appxcabinet.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	appxcabinet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	appxcabinet.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{974DB7FB-DEA0-4725-ABFC-DE14367C97F5}\WpadNetworkName = "Network 3"	appxcabinet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	appxcabinet.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	appxcabinet.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{974DB7FB-DEA0-4725-ABFC-DE14367C97F5}	appxcabinet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{974DB7FB-DEA0-4725-ABFC-DE14367C97F5}\WpadDecisionReason = "1"	appxcabinet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{974DB7FB-DEA0-4725-ABFC-DE14367C97F5}\WpadDecision = "0"	appxcabinet.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-17-ac-eb-a0-1b\WpadDecisionReason = "1"	appxcabinet.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2248	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe
2012	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe
2188	appxcabinet.exe
2700	appxcabinet.exe
2700	appxcabinet.exe
2700	appxcabinet.exe
2700	appxcabinet.exe
2700	appxcabinet.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2012	2248	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2012	2248	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2012	2248	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2012	2248	93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2700	2188	appxcabinet.exe	30
PID 2188 wrote to memory of 2700	2188	appxcabinet.exe	30
PID 2188 wrote to memory of 2700	2188	appxcabinet.exe	30
PID 2188 wrote to memory of 2700	2188	appxcabinet.exe	30

C:\Users\Admin\AppData\Local\Temp\93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\93e0b7c2503a696023ea625edc7ea579_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:2012

C:\Windows\SysWOW64\appxcabinet.exe
"C:\Windows\SysWOW64\appxcabinet.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\appxcabinet.exe
  "C:\Windows\SysWOW64\appxcabinet.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2012-29-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2188-19-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/2188-27-0x0000000000320000-0x0000000000337000-memory.dmp

Filesize
92KB

Download
memory/2188-18-0x0000000000320000-0x0000000000337000-memory.dmp

Filesize
92KB

Download
memory/2188-17-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/2188-13-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/2248-12-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2248-6-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2248-0-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2248-4-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2248-5-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2700-24-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2700-20-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2700-26-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2700-25-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download
memory/2700-30-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing