emotet | 855e2e58915abfd690b5643ec822c1d629986a88dbbea8bd7d5df56671ecdf2d

General

Target

ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
Size

368KB
MD5

ddadccb06dd3535f04acc27f0e27b855
SHA1

5c7f33dae7c5866e1efb4048b8c51f2ed9c39f26
SHA256

855e2e58915abfd690b5643ec822c1d629986a88dbbea8bd7d5df56671ecdf2d
SHA512

29b9981f1635390bb43d0b06b128867a7ba93ba117a4a7c50d6224417b09aa98235b2440ad9032c52de44a82131689942bc7119466b7a653b380e9a37fd93500
SSDEEP

6144:y64R1xbxpyndBCKQL8c/8jEpTN2KcZ/Gu2cNB:y64R1xbxMGL/8jaAZ2cN

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	convsounds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	convsounds.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3404	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
3404	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
3412	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
3412	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
4404	convsounds.exe
4404	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe
2672	convsounds.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3412	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3412	3404	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe	85
PID 3404 wrote to memory of 3412	3404	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe	85
PID 3404 wrote to memory of 3412	3404	ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe	85
PID 4404 wrote to memory of 2672	4404	convsounds.exe	91
PID 4404 wrote to memory of 2672	4404	convsounds.exe	91
PID 4404 wrote to memory of 2672	4404	convsounds.exe	91

C:\Users\Admin\AppData\Local\Temp\ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ddadccb06dd3535f04acc27f0e27b855_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:3412

C:\Windows\SysWOW64\convsounds.exe
"C:\Windows\SysWOW64\convsounds.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\convsounds.exe
  "C:\Windows\SysWOW64\convsounds.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2672-22-0x0000000000B20000-0x0000000000B37000-memory.dmp

Filesize
92KB

Download
memory/2672-26-0x0000000000B20000-0x0000000000B37000-memory.dmp

Filesize
92KB

Download
memory/3404-14-0x0000000000760000-0x0000000000777000-memory.dmp

Filesize
92KB

Download
memory/3404-5-0x0000000002230000-0x0000000002247000-memory.dmp

Filesize
92KB

Download
memory/3404-6-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/3404-1-0x0000000002230000-0x0000000002247000-memory.dmp

Filesize
92KB

Download
memory/3404-0-0x0000000000760000-0x0000000000777000-memory.dmp

Filesize
92KB

Download
memory/3412-13-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/3412-7-0x0000000002230000-0x0000000002247000-memory.dmp

Filesize
92KB

Download
memory/3412-11-0x0000000002230000-0x0000000002247000-memory.dmp

Filesize
92KB

Download
memory/3412-12-0x0000000002210000-0x0000000002227000-memory.dmp

Filesize
92KB

Download
memory/3412-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3412-29-0x0000000002210000-0x0000000002227000-memory.dmp

Filesize
92KB

Download
memory/4404-21-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/4404-20-0x00000000009C0000-0x00000000009D7000-memory.dmp

Filesize
92KB

Download
memory/4404-19-0x00000000009E0000-0x00000000009F7000-memory.dmp

Filesize
92KB

Download
memory/4404-15-0x00000000009E0000-0x00000000009F7000-memory.dmp

Filesize
92KB

Download
memory/4404-27-0x00000000009C0000-0x00000000009D7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing