emotet | 2d6da1ee3dd683a450b88e9b0ff4884373ed0a94c005e8950c1d2e8c8312d1e6

General

Target

e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe
Size

111KB
MD5

e89f80d91dc3bc0e6df1133d993e0921
SHA1

0fa6bbcb7501d3e77673ed812655968c27b1b4d2
SHA256

2d6da1ee3dd683a450b88e9b0ff4884373ed0a94c005e8950c1d2e8c8312d1e6
SHA512

7d9f8cbf1b61cd66d5d246312c6e05f857290ebba3246faf31b2f3a79c8ad407515e243dbcd995b627a796b6ad9a578775ce0ef84b470d4366d3fd5c3cc4f637
SSDEEP

3072:M34+t0OtbkB68SMMvX6aVQ1VBLdR7RAlc0:v+Z8SMMvX6aVQldKc0

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	windowdhcp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	windowdhcp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	windowdhcp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	windowdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowdhcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowdhcp.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	windowdhcp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	windowdhcp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	windowdhcp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1176	windowdhcp.exe
1176	windowdhcp.exe
1176	windowdhcp.exe
1176	windowdhcp.exe
1176	windowdhcp.exe
1176	windowdhcp.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4160	e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4160	4560	e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe	89
PID 4560 wrote to memory of 4160	4560	e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe	89
PID 4560 wrote to memory of 4160	4560	e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe	89
PID 1444 wrote to memory of 1176	1444	windowdhcp.exe	97
PID 1444 wrote to memory of 1176	1444	windowdhcp.exe	97
PID 1444 wrote to memory of 1176	1444	windowdhcp.exe	97

C:\Users\Admin\AppData\Local\Temp\e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e89f80d91dc3bc0e6df1133d993e0921_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
1⤵
PID:2788

C:\Windows\SysWOW64\windowdhcp.exe
C:\Windows\SysWOW64\windowdhcp.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\windowdhcp.exe
  "C:\Windows\SysWOW64\windowdhcp.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-27-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/1176-33-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/1176-23-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/1176-28-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/1176-29-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/1444-20-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/1444-21-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/1444-30-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1444-15-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1444-16-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/4160-11-0x00000000008C0000-0x00000000008CE000-memory.dmp

Filesize
56KB

Download
memory/4160-7-0x00000000008C0000-0x00000000008CE000-memory.dmp

Filesize
56KB

Download
memory/4160-13-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/4160-22-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/4160-12-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/4160-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4160-32-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/4560-6-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/4560-14-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/4560-0-0x00000000021B0000-0x00000000021BE000-memory.dmp

Filesize
56KB

Download
memory/4560-4-0x00000000021B0000-0x00000000021BE000-memory.dmp

Filesize
56KB

Download
memory/4560-5-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing