emotet | 0a05e728e40d80db4159ced8760ade6cc66cd1d1c3187bc389801f975ea356a5

General

Target

dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
Size

132KB
MD5

dc6697d94912ca70de32d8bd7717bd50
SHA1

1f8c869748933bc8c9a69cb25c3f0ea3f8071075
SHA256

0a05e728e40d80db4159ced8760ade6cc66cd1d1c3187bc389801f975ea356a5
SHA512

835224f4e306d911a86d647ea6c0a4d92e3ae53b5d0510a8d122c052ec576bf3f0f8b78dfb98a4d468ac6de71881756707c8ee5b56568603727a2076ba804d1b
SSDEEP

3072:fGtMGz044wJ/lvfrO9nsirVgMiNWcJZ9KzO9vgYRu9:uSGY44QHrqVrWDNWcYOZL

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bmlreports.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmlreports.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmlreports.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E421B8E7-424E-4198-9DF5-9C376903C679}\WpadNetworkName = "Network 3"	bmlreports.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bmlreports.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E421B8E7-424E-4198-9DF5-9C376903C679}\WpadDecision = "0"	bmlreports.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bmlreports.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E421B8E7-424E-4198-9DF5-9C376903C679}\WpadDecisionReason = "1"	bmlreports.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E421B8E7-424E-4198-9DF5-9C376903C679}\WpadDecisionTime = c053f0a01e05db01	bmlreports.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-34-4d-79-7c-78\WpadDetectedUrl	bmlreports.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bmlreports.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-34-4d-79-7c-78	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E421B8E7-424E-4198-9DF5-9C376903C679}\92-34-4d-79-7c-78	bmlreports.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-34-4d-79-7c-78\WpadDecisionReason = "1"	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E421B8E7-424E-4198-9DF5-9C376903C679}	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	bmlreports.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-34-4d-79-7c-78\WpadDecisionTime = c053f0a01e05db01	bmlreports.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-34-4d-79-7c-78\WpadDecision = "0"	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	bmlreports.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	bmlreports.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2416	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
1812	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
2436	bmlreports.exe
2792	bmlreports.exe
2792	bmlreports.exe
2792	bmlreports.exe
2792	bmlreports.exe
2792	bmlreports.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1812	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1812	2416	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1812	2416	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1812	2416	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1812	2416	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2792	2436	bmlreports.exe	32
PID 2436 wrote to memory of 2792	2436	bmlreports.exe	32
PID 2436 wrote to memory of 2792	2436	bmlreports.exe	32
PID 2436 wrote to memory of 2792	2436	bmlreports.exe	32

C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1812

C:\Windows\SysWOW64\bmlreports.exe
"C:\Windows\SysWOW64\bmlreports.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\bmlreports.exe
  "C:\Windows\SysWOW64\bmlreports.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-16-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/1812-15-0x0000000000110000-0x0000000000127000-memory.dmp

Filesize
92KB

Download
memory/1812-14-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/1812-10-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1812-6-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1812-35-0x0000000000110000-0x0000000000127000-memory.dmp

Filesize
92KB

Download
memory/2416-0-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/2416-13-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/2416-12-0x00000000000E0000-0x00000000000F7000-memory.dmp

Filesize
92KB

Download
memory/2416-11-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/2416-5-0x0000000000100000-0x0000000000117000-memory.dmp

Filesize
92KB

Download
memory/2416-1-0x0000000000100000-0x0000000000117000-memory.dmp

Filesize
92KB

Download
memory/2436-28-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2436-32-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/2436-21-0x0000000000100000-0x0000000000117000-memory.dmp

Filesize
92KB

Download
memory/2436-29-0x0000000000180000-0x00000000001A2000-memory.dmp

Filesize
136KB

Download
memory/2436-27-0x0000000000090000-0x00000000000A7000-memory.dmp

Filesize
92KB

Download
memory/2436-17-0x0000000000100000-0x0000000000117000-memory.dmp

Filesize
92KB

Download
memory/2792-31-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/2792-30-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/2792-33-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/2792-26-0x0000000000360000-0x0000000000377000-memory.dmp

Filesize
92KB

Download
memory/2792-22-0x0000000000360000-0x0000000000377000-memory.dmp

Filesize
92KB

Download
memory/2792-36-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing