emotet | bd636fc134cc19ea72a62da9f15cec2852200d48b4c5092ed71aef0f0b56e084

General

Target

fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe
Size

126KB
MD5

fb73d0359f7884e6fd0599ed085c54b0
SHA1

11b1fa897ac2d4386271f5ac77a77f5b9162ad0c
SHA256

bd636fc134cc19ea72a62da9f15cec2852200d48b4c5092ed71aef0f0b56e084
SHA512

8c49354b19a6df01002e3ae7b302b82d5471792868526c6f621be9830ee1536c9ae44454f067915b5eceef56b3fea059a070781e7601e1a98c02857c5876c2d1
SSDEEP

1536:xV3Z+6UTS6VZkPuEbTKY6iYeX6GaZcgK3/VACC2yQBcNN7veO8B:xOdGPuEX/4bZcV/VACLcPT

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	agentlog.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	agentlog.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	agentlog.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	agentlog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agentlog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agentlog.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	agentlog.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	agentlog.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	agentlog.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1052	agentlog.exe
1052	agentlog.exe
1052	agentlog.exe
1052	agentlog.exe
1052	agentlog.exe
1052	agentlog.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3396	fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 3396	3732	fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe	82
PID 3732 wrote to memory of 3396	3732	fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe	82
PID 3732 wrote to memory of 3396	3732	fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe	82
PID 3620 wrote to memory of 1052	3620	agentlog.exe	84
PID 3620 wrote to memory of 1052	3620	agentlog.exe	84
PID 3620 wrote to memory of 1052	3620	agentlog.exe	84

C:\Users\Admin\AppData\Local\Temp\fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fb73d0359f7884e6fd0599ed085c54b0_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:3396

C:\Windows\SysWOW64\agentlog.exe
C:\Windows\SysWOW64\agentlog.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\agentlog.exe
  "C:\Windows\SysWOW64\agentlog.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-27-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1052-33-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/1052-23-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1052-28-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/1052-29-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/3396-12-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/3396-13-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/3396-7-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/3396-32-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/3396-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3396-11-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/3396-22-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/3620-20-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/3620-15-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/3620-19-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/3620-30-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/3620-21-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/3732-0-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/3732-1-0x00000000021C0000-0x00000000021CE000-memory.dmp

Filesize
56KB

Download
memory/3732-6-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/3732-14-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/3732-5-0x00000000021C0000-0x00000000021CE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing