emotet | 67e215d00bc82ece78aefacc35df1caa48f235efe82a25d7be9f7d5a265ae7ff

General

Target

ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
Size

572KB
MD5

ccfb2c8d1067f344c8641be9a94a5b4f
SHA1

3ba4446053b3cb0c192d476df06e28ae3f6d6685
SHA256

67e215d00bc82ece78aefacc35df1caa48f235efe82a25d7be9f7d5a265ae7ff
SHA512

c1164eb47bc878e4ade62f01fcc7cd32af3f9b17f6bd08194301b824fccd3a576e33c10aa9ac3490e34255a9b748798c6e1c5f6146ccbef3e28d3adf665b9234
SSDEEP

6144:XLOYXpa/ummNl/C5lXS/U6zJjSOd77yPZ5qxSorTCQ2z07517kBebS9ZuXCxnS9d:X6ummjiX6B+PZC+OLyZZS9rVFnF

Score

10^/10

emotet epoch3 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

200.41.121.69:443

153.190.41.185:80

165.100.148.200:443

103.9.145.19:8080

46.105.128.215:8080

172.105.213.30:80

69.30.205.162:7080

172.104.70.207:8080

198.57.217.170:8080

103.122.75.218:80

212.112.113.235:80

113.52.135.33:7080

60.53.3.153:8080

1.32.54.12:8080

142.93.87.198:8080

91.117.31.181:80

45.129.121.222:443

186.215.101.106:80

143.95.101.72:8080

187.233.220.93:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mailboxwiz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mailboxwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mailboxwiz.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}	mailboxwiz.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a7-58-91-26-d4\WpadDecisionTime = 70d55e7bb2fbda01	mailboxwiz.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mailboxwiz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mailboxwiz.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mailboxwiz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}\WpadNetworkName = "Network 3"	mailboxwiz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mailboxwiz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mailboxwiz.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0187000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mailboxwiz.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}\WpadDecisionTime = 70d55e7bb2fbda01	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a7-58-91-26-d4	mailboxwiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a7-58-91-26-d4\WpadDecision = "0"	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mailboxwiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}\WpadDecision = "0"	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}\36-a7-58-91-26-d4	mailboxwiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a7-58-91-26-d4\WpadDecisionReason = "1"	mailboxwiz.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mailboxwiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}\WpadDecisionReason = "1"	mailboxwiz.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2752	mailboxwiz.exe
2752	mailboxwiz.exe
2752	mailboxwiz.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2468	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2808	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
2808	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
2468	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
2468	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
2936	mailboxwiz.exe
2936	mailboxwiz.exe
2752	mailboxwiz.exe
2752	mailboxwiz.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2468	2808	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2468	2808	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2468	2808	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2468	2808	ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2752	2936	mailboxwiz.exe	32
PID 2936 wrote to memory of 2752	2936	mailboxwiz.exe	32
PID 2936 wrote to memory of 2752	2936	mailboxwiz.exe	32
PID 2936 wrote to memory of 2752	2936	mailboxwiz.exe	32

C:\Users\Admin\AppData\Local\Temp\ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\ccfb2c8d1067f344c8641be9a94a5b4f_JaffaCakes118.exe
  --df632b2e
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:2468

C:\Windows\SysWOW64\mailboxwiz.exe
"C:\Windows\SysWOW64\mailboxwiz.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\mailboxwiz.exe
  --8d2cb466
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-6-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2468-16-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2752-17-0x00000000008F0000-0x0000000000907000-memory.dmp

Filesize
92KB

Download
memory/2808-1-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2808-0-0x0000000000630000-0x0000000000647000-memory.dmp

Filesize
92KB

Download
memory/2936-11-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing