emotet | f5b4f89b6b1dc85c733d49b2eef0b2b23dcc1c3a2914a1f01a6b4fc651c231ec

General

Target

d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
Size

348KB
MD5

d991661bafa251d06be4189c13e36856
SHA1

9ef63ef5f234c7296f5a67939624de410027755f
SHA256

f5b4f89b6b1dc85c733d49b2eef0b2b23dcc1c3a2914a1f01a6b4fc651c231ec
SHA512

a0a58043bf13688693006ba1ab990c3406afcb553927f69578f6ad8c1f1b14ff603878459b9ee0f38e7289beb97e95213672430018d9edebbee5054d28b8b649
SSDEEP

3072:alJp9tUQmCcTrslffmseKdNZO+SrEtvFkn5mhFvKR8mewZ6LhBojSC0AmYNwmLb:8ZLZ25KFO89y6L8mC0AmYNwQlzp

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdmmcdguids.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdmmcdguids.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3568	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
3568	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
2196	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
2196	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
1380	mdmmcdguids.exe
1380	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe
748	mdmmcdguids.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2196	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2196	3568	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe	83
PID 3568 wrote to memory of 2196	3568	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe	83
PID 3568 wrote to memory of 2196	3568	d991661bafa251d06be4189c13e36856_JaffaCakes118.exe	83
PID 1380 wrote to memory of 748	1380	mdmmcdguids.exe	93
PID 1380 wrote to memory of 748	1380	mdmmcdguids.exe	93
PID 1380 wrote to memory of 748	1380	mdmmcdguids.exe	93

C:\Users\Admin\AppData\Local\Temp\d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d991661bafa251d06be4189c13e36856_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Local\Temp\d991661bafa251d06be4189c13e36856_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d991661bafa251d06be4189c13e36856_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:2196

C:\Windows\SysWOW64\mdmmcdguids.exe
"C:\Windows\SysWOW64\mdmmcdguids.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\mdmmcdguids.exe
  "C:\Windows\SysWOW64\mdmmcdguids.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-22-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/748-32-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/748-28-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/748-27-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/748-23-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/1380-19-0x00000000009D0000-0x00000000009EA000-memory.dmp

Filesize
104KB

Download
memory/1380-15-0x00000000009D0000-0x00000000009EA000-memory.dmp

Filesize
104KB

Download
memory/1380-29-0x00000000008E0000-0x00000000008FA000-memory.dmp

Filesize
104KB

Download
memory/1380-20-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2196-12-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/2196-13-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2196-21-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/2196-7-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/2196-8-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/2196-30-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2196-31-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/3568-0-0x00000000008E0000-0x00000000008FA000-memory.dmp

Filesize
104KB

Download
memory/3568-14-0x00000000008E0000-0x00000000008FA000-memory.dmp

Filesize
104KB

Download
memory/3568-6-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/3568-2-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/3568-5-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing