emotet | 7ff74dfe2aea2073e698eb489a20ef687450dfce2a9b87fb588a5e9314ceeee0

General

Target

e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
Size

168KB
MD5

e36fa261697b3d09989d9f37b4eaf7b8
SHA1

f24520d28abf7755e13c11595be4d2875e7b1e8a
SHA256

7ff74dfe2aea2073e698eb489a20ef687450dfce2a9b87fb588a5e9314ceeee0
SHA512

7796c4dae8d81a86b6a3c36c4fd4fc15ba29b47ca675ab4eef55b5d76dd31f2a7c8458b43cadb2acb6191fb433090eb7203607cd3ce04e35add899492f3368d6
SSDEEP

3072:AOcwqx2eHI6ptwmAm/TnxZ7xZ2sz0CXmA/:AOheHI6ptwvOTxFHACd/

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemrowset.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemrowset.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4700	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
4700	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
3188	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
3188	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
4784	systemrowset.exe
4784	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe
1944	systemrowset.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3188	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 3188	4700	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe	82
PID 4700 wrote to memory of 3188	4700	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe	82
PID 4700 wrote to memory of 3188	4700	e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe	82
PID 4784 wrote to memory of 1944	4784	systemrowset.exe	88
PID 4784 wrote to memory of 1944	4784	systemrowset.exe	88
PID 4784 wrote to memory of 1944	4784	systemrowset.exe	88

C:\Users\Admin\AppData\Local\Temp\e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e36fa261697b3d09989d9f37b4eaf7b8_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:3188

C:\Windows\SysWOW64\systemrowset.exe
"C:\Windows\SysWOW64\systemrowset.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SysWOW64\systemrowset.exe
  "C:\Windows\SysWOW64\systemrowset.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-33-0x0000000000E30000-0x0000000000E47000-memory.dmp

Filesize
92KB

Download
memory/1944-28-0x0000000000E70000-0x0000000000E90000-memory.dmp

Filesize
128KB

Download
memory/1944-22-0x0000000000E50000-0x0000000000E67000-memory.dmp

Filesize
92KB

Download
memory/1944-26-0x0000000000E50000-0x0000000000E67000-memory.dmp

Filesize
92KB

Download
memory/1944-27-0x0000000000E30000-0x0000000000E47000-memory.dmp

Filesize
92KB

Download
memory/3188-32-0x0000000002180000-0x0000000002197000-memory.dmp

Filesize
92KB

Download
memory/3188-13-0x00000000021C0000-0x00000000021E0000-memory.dmp

Filesize
128KB

Download
memory/3188-11-0x00000000021A0000-0x00000000021B7000-memory.dmp

Filesize
92KB

Download
memory/3188-12-0x0000000002180000-0x0000000002197000-memory.dmp

Filesize
92KB

Download
memory/3188-31-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/3188-7-0x00000000021A0000-0x00000000021B7000-memory.dmp

Filesize
92KB

Download
memory/3188-29-0x0000000002180000-0x0000000002197000-memory.dmp

Filesize
92KB

Download
memory/4700-14-0x00000000005D0000-0x00000000005E7000-memory.dmp

Filesize
92KB

Download
memory/4700-4-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/4700-0-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/4700-5-0x00000000005D0000-0x00000000005E7000-memory.dmp

Filesize
92KB

Download
memory/4700-6-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/4784-20-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/4784-30-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/4784-15-0x0000000000D10000-0x0000000000D27000-memory.dmp

Filesize
92KB

Download
memory/4784-19-0x0000000000D10000-0x0000000000D27000-memory.dmp

Filesize
92KB

Download
memory/4784-21-0x0000000000D30000-0x0000000000D50000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing