emotet | 41ccfe8451e70ae90260aa63ed318cc8a749ddf556ceedb7dc9af1da34dd3c55

General

Target

de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
Size

152KB
MD5

de899b812327353e852e8beec12c0dd2
SHA1

060da2ad582ab77fcac6bdc4344334d564e980e6
SHA256

41ccfe8451e70ae90260aa63ed318cc8a749ddf556ceedb7dc9af1da34dd3c55
SHA512

fad13c41e5c902bac73095dcd73c0ee462e1cac633954470e0ba0cede34a86f0e103888770ed0129946907b0e0b89287e0ca96fb62a588f1debd2ed11c50e9ca
SSDEEP

3072:Qnt9pokq3u3675KOk7ZZi1nKQr49qScgziQuWxScnxhjf:SziNQN3SK59qHgVu8nX

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cabinetmfidl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cabinetmfidl.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4848	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
4848	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
1380	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
1380	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
4244	cabinetmfidl.exe
4244	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe
1948	cabinetmfidl.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1380	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 1380	4848	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe	83
PID 4848 wrote to memory of 1380	4848	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe	83
PID 4848 wrote to memory of 1380	4848	de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe	83
PID 4244 wrote to memory of 1948	4244	cabinetmfidl.exe	93
PID 4244 wrote to memory of 1948	4244	cabinetmfidl.exe	93
PID 4244 wrote to memory of 1948	4244	cabinetmfidl.exe	93

C:\Users\Admin\AppData\Local\Temp\de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de899b812327353e852e8beec12c0dd2_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1380

C:\Windows\SysWOW64\cabinetmfidl.exe
"C:\Windows\SysWOW64\cabinetmfidl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\cabinetmfidl.exe
  "C:\Windows\SysWOW64\cabinetmfidl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-14-0x0000000002280000-0x00000000022A0000-memory.dmp

Filesize
128KB

Download
memory/1380-35-0x0000000002240000-0x0000000002256000-memory.dmp

Filesize
88KB

Download
memory/1380-34-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1380-13-0x0000000002240000-0x0000000002256000-memory.dmp

Filesize
88KB

Download
memory/1380-8-0x0000000002260000-0x0000000002276000-memory.dmp

Filesize
88KB

Download
memory/1380-12-0x0000000002260000-0x0000000002276000-memory.dmp

Filesize
88KB

Download
memory/1380-24-0x0000000002240000-0x0000000002256000-memory.dmp

Filesize
88KB

Download
memory/1948-37-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1948-36-0x0000000001400000-0x0000000001416000-memory.dmp

Filesize
88KB

Download
memory/1948-25-0x0000000001420000-0x0000000001436000-memory.dmp

Filesize
88KB

Download
memory/1948-29-0x0000000001420000-0x0000000001436000-memory.dmp

Filesize
88KB

Download
memory/1948-30-0x0000000001400000-0x0000000001416000-memory.dmp

Filesize
88KB

Download
memory/1948-31-0x0000000001BD0000-0x0000000001BF0000-memory.dmp

Filesize
128KB

Download
memory/4244-23-0x00000000010F0000-0x0000000001110000-memory.dmp

Filesize
128KB

Download
memory/4244-21-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/4244-17-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/4244-22-0x00000000010B0000-0x00000000010C6000-memory.dmp

Filesize
88KB

Download
memory/4244-33-0x00000000010B0000-0x00000000010C6000-memory.dmp

Filesize
88KB

Download
memory/4244-32-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/4848-0-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/4848-16-0x0000000002740000-0x0000000002756000-memory.dmp

Filesize
88KB

Download
memory/4848-15-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/4848-7-0x0000000002780000-0x00000000027A0000-memory.dmp

Filesize
128KB

Download
memory/4848-6-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/4848-2-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/4848-1-0x0000000002740000-0x0000000002756000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing