emotet | 67766b22aa574c3c7efa1256b4ebfe74a63040cfd7aba6759296600aa69a69ac

General

Target

c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
Size

696KB
MD5

c8122ac758c632055d8017870b951c46
SHA1

78b411b5b96ce9de40519ffc36d6d778dc39ead5
SHA256

67766b22aa574c3c7efa1256b4ebfe74a63040cfd7aba6759296600aa69a69ac
SHA512

34e4778157ebff615d6b380ec12648107de29c300cb8343df57bf77c46ce53188d06b1029b075796cdb2cd901014eab261dc2cb748928e445f38840c902d9e4c
SSDEEP

12288:AMzCEh70HZRYuqmQiLPa3LVJgmhMYU31:rhXgH

Score

10^/10

emotet epoch2 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

148.72.151.34:8080

37.187.2.199:443

173.249.47.77:8080

62.75.187.192:8080

181.143.194.138:443

133.167.80.63:7080

182.176.132.213:8090

37.157.194.134:443

152.89.236.214:8080

86.98.25.30:53

144.139.247.220:80

47.41.213.2:22

31.12.67.62:7080

83.136.245.190:8080

87.106.136.232:8080

178.210.51.222:8080

92.222.216.44:8080

159.65.25.128:8080

94.177.216.217:8080

182.76.6.2:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cplsdevice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cplsdevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cplsdevice.exe

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0092000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cplsdevice.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecisionTime = 8001cc16bbf9da01	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cplsdevice.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\52-1b-c5-8d-86-5d	cplsdevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDetectedUrl	cplsdevice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	cplsdevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cplsdevice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cplsdevice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecisionReason = "1"	cplsdevice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecision = "0"	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecisionTime = 8001cc16bbf9da01	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0092000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecisionTime = 60e26453bbf9da01	cplsdevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cplsdevice.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d	cplsdevice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecisionReason = "1"	cplsdevice.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecisionTime = 60e26453bbf9da01	cplsdevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cplsdevice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	cplsdevice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cplsdevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadNetworkName = "Network 3"	cplsdevice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecision = "0"	cplsdevice.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2588	cplsdevice.exe
2588	cplsdevice.exe
2588	cplsdevice.exe
2588	cplsdevice.exe
2588	cplsdevice.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2816	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2692	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
2692	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
2816	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
2816	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
2828	cplsdevice.exe
2828	cplsdevice.exe
2588	cplsdevice.exe
2588	cplsdevice.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2816	2692	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2816	2692	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2816	2692	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2816	2692	c8122ac758c632055d8017870b951c46_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2588	2828	cplsdevice.exe	33
PID 2828 wrote to memory of 2588	2828	cplsdevice.exe	33
PID 2828 wrote to memory of 2588	2828	cplsdevice.exe	33
PID 2828 wrote to memory of 2588	2828	cplsdevice.exe	33

C:\Users\Admin\AppData\Local\Temp\c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8122ac758c632055d8017870b951c46_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\c8122ac758c632055d8017870b951c46_JaffaCakes118.exe
  --b4d24cd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:2816

C:\Windows\SysWOW64\cplsdevice.exe
"C:\Windows\SysWOW64\cplsdevice.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\cplsdevice.exe
  --1566f51c
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2588-17-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2692-5-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/2692-1-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2816-7-0x0000000000270000-0x0000000000287000-memory.dmp

Filesize
92KB

Download
memory/2816-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2828-11-0x0000000000920000-0x0000000000937000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing