emotet | efd9f27dc06fe39568ed2123ce4ac69c696fa62eec9e5ce60f6e5b6f4a0eac7b

General

Target

e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
Size

168KB
MD5

e4e52cd9f6d6be97ee805def0c8644ed
SHA1

1fbbd6d4decb102e15f8c3e545d06a2006e8ef08
SHA256

efd9f27dc06fe39568ed2123ce4ac69c696fa62eec9e5ce60f6e5b6f4a0eac7b
SHA512

de83b6dc3d7cd8e42ddfb3468e2803e5b75c17d03dc4c9d5c63210a74d5263a7875ceeffa7d8a2a80a9bb2e29fa6e868d9376f9ed2f8a00411dbe0a958cecb75
SSDEEP

3072:IWVPtoludJgQz2SDKTR/VS4k5/0lUWY86bIWLLNrme/1Z:XVleugGLZ4Kd

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jerseyrepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jerseyrepl.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4800	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
4800	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
4700	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
4700	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
4108	jerseyrepl.exe
4108	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe
1432	jerseyrepl.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4700	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4700	4800	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe	82
PID 4800 wrote to memory of 4700	4800	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe	82
PID 4800 wrote to memory of 4700	4800	e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe	82
PID 4108 wrote to memory of 1432	4108	jerseyrepl.exe	88
PID 4108 wrote to memory of 1432	4108	jerseyrepl.exe	88
PID 4108 wrote to memory of 1432	4108	jerseyrepl.exe	88

C:\Users\Admin\AppData\Local\Temp\e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e4e52cd9f6d6be97ee805def0c8644ed_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4700

C:\Windows\SysWOW64\jerseyrepl.exe
"C:\Windows\SysWOW64\jerseyrepl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\jerseyrepl.exe
  "C:\Windows\SysWOW64\jerseyrepl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-29-0x0000000000D40000-0x0000000000D5A000-memory.dmp

Filesize
104KB

Download
memory/1432-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1432-36-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/1432-25-0x0000000000D40000-0x0000000000D5A000-memory.dmp

Filesize
104KB

Download
memory/1432-30-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/1432-31-0x0000000000D60000-0x0000000000D80000-memory.dmp

Filesize
128KB

Download
memory/4108-21-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/4108-22-0x0000000000780000-0x000000000079A000-memory.dmp

Filesize
104KB

Download
memory/4108-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4108-23-0x00000000007C0000-0x00000000007E0000-memory.dmp

Filesize
128KB

Download
memory/4108-17-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/4700-9-0x00000000008B0000-0x00000000008CA000-memory.dmp

Filesize
104KB

Download
memory/4700-35-0x00000000008B0000-0x00000000008CA000-memory.dmp

Filesize
104KB

Download
memory/4700-24-0x00000000008B0000-0x00000000008CA000-memory.dmp

Filesize
104KB

Download
memory/4700-8-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/4700-13-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/4700-14-0x00000000008F0000-0x0000000000910000-memory.dmp

Filesize
128KB

Download
memory/4700-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4800-16-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/4800-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4800-5-0x0000000000730000-0x000000000074A000-memory.dmp

Filesize
104KB

Download
memory/4800-6-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/4800-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4800-7-0x0000000000750000-0x0000000000770000-memory.dmp

Filesize
128KB

Download
memory/4800-1-0x0000000000730000-0x000000000074A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing