emotet | 0a05e728e40d80db4159ced8760ade6cc66cd1d1c3187bc389801f975ea356a5

General

Target

dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
Size

132KB
MD5

dc6697d94912ca70de32d8bd7717bd50
SHA1

1f8c869748933bc8c9a69cb25c3f0ea3f8071075
SHA256

0a05e728e40d80db4159ced8760ade6cc66cd1d1c3187bc389801f975ea356a5
SHA512

835224f4e306d911a86d647ea6c0a4d92e3ae53b5d0510a8d122c052ec576bf3f0f8b78dfb98a4d468ac6de71881756707c8ee5b56568603727a2076ba804d1b
SSDEEP

3072:fGtMGz044wJ/lvfrO9nsirVgMiNWcJZ9KzO9vgYRu9:uSGY44QHrqVrWDNWcYOZL

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	190.103.30.186

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelclear.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelclear.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2436	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
2436	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
4216	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
4216	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
1712	intelclear.exe
1712	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe
1760	intelclear.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4216	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4216	2436	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	83
PID 2436 wrote to memory of 4216	2436	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	83
PID 2436 wrote to memory of 4216	2436	dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe	83
PID 1712 wrote to memory of 1760	1712	intelclear.exe	93
PID 1712 wrote to memory of 1760	1712	intelclear.exe	93
PID 1712 wrote to memory of 1760	1712	intelclear.exe	93

C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc6697d94912ca70de32d8bd7717bd50_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4216

C:\Windows\SysWOW64\intelclear.exe
"C:\Windows\SysWOW64\intelclear.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\intelclear.exe
  "C:\Windows\SysWOW64\intelclear.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-21-0x0000000001880000-0x0000000001897000-memory.dmp

Filesize
92KB

Download
memory/1712-32-0x00000000004F0000-0x0000000000512000-memory.dmp

Filesize
136KB

Download
memory/1712-22-0x0000000001860000-0x0000000001877000-memory.dmp

Filesize
92KB

Download
memory/1712-23-0x00000000018A0000-0x00000000018C0000-memory.dmp

Filesize
128KB

Download
memory/1712-17-0x0000000001880000-0x0000000001897000-memory.dmp

Filesize
92KB

Download
memory/1760-28-0x0000000001220000-0x0000000001237000-memory.dmp

Filesize
92KB

Download
memory/1760-36-0x0000000001200000-0x0000000001217000-memory.dmp

Filesize
92KB

Download
memory/1760-30-0x0000000001240000-0x0000000001260000-memory.dmp

Filesize
128KB

Download
memory/1760-37-0x00000000004F0000-0x0000000000512000-memory.dmp

Filesize
136KB

Download
memory/1760-24-0x0000000001220000-0x0000000001237000-memory.dmp

Filesize
92KB

Download
memory/1760-29-0x0000000001200000-0x0000000001217000-memory.dmp

Filesize
92KB

Download
memory/2436-0-0x00000000004F0000-0x0000000000512000-memory.dmp

Filesize
136KB

Download
memory/2436-15-0x00000000004F0000-0x0000000000512000-memory.dmp

Filesize
136KB

Download
memory/2436-16-0x0000000001230000-0x0000000001247000-memory.dmp

Filesize
92KB

Download
memory/2436-6-0x0000000001230000-0x0000000001247000-memory.dmp

Filesize
92KB

Download
memory/2436-7-0x0000000001270000-0x0000000001290000-memory.dmp

Filesize
128KB

Download
memory/2436-5-0x0000000001250000-0x0000000001267000-memory.dmp

Filesize
92KB

Download
memory/2436-1-0x0000000001250000-0x0000000001267000-memory.dmp

Filesize
92KB

Download
memory/4216-8-0x0000000000AD0000-0x0000000000AE7000-memory.dmp

Filesize
92KB

Download
memory/4216-31-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

Filesize
92KB

Download
memory/4216-13-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

Filesize
92KB

Download
memory/4216-34-0x00000000004F0000-0x0000000000512000-memory.dmp

Filesize
136KB

Download
memory/4216-35-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

Filesize
92KB

Download
memory/4216-14-0x0000000000AF0000-0x0000000000B10000-memory.dmp

Filesize
128KB

Download
memory/4216-12-0x0000000000AD0000-0x0000000000AE7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing