emotet | 0337c585532a4a3cbed48602fe42563e965b8d853432391633e1da888f1946e3

General

Target

ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
Size

212KB
MD5

ff7156dcfa66a4e7094bc5c199a9da43
SHA1

ceb7c14b5638f2b6143b0fa6e9a9cc427ed7aa1f
SHA256

0337c585532a4a3cbed48602fe42563e965b8d853432391633e1da888f1946e3
SHA512

38fd76a3dac84315b92b11b94f6262cf18be78f046de77ce7228e1f3ef8c9f2162662cc6981434954d3f68176a7f67e54f4904b72800ce130d65d0aeed498a41
SSDEEP

3072:0izbxqLRv2ZCgg1y1t3QoqVePUQGTbgYd/XsLlCP2wj:0Oq55h10JQpeJGT8Yd/X8lS2u

Score

10^/10

emotet epoch1 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

187.144.236.211:443

95.219.199.225:80

125.230.36.147:443

104.236.137.72:8080

172.104.233.225:8080

213.189.36.51:8080

85.234.143.94:8080

2.38.99.79:80

200.113.106.18:80

181.135.153.203:443

201.163.74.202:443

185.86.148.222:8080

189.173.113.67:443

68.183.170.114:8080

187.190.49.92:443

181.231.62.54:80

134.209.214.126:8080

87.118.70.69:8080

47.187.70.124:443

82.196.15.205:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	groupmalert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	groupmalert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	groupmalert.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECCB368C-2ACD-4C95-8D23-3AE13CFBD4A1}\ce-8d-06-b5-65-54	groupmalert.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-8d-06-b5-65-54\WpadDecisionReason = "1"	groupmalert.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	groupmalert.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ba000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	groupmalert.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECCB368C-2ACD-4C95-8D23-3AE13CFBD4A1}\WpadDecisionTime = 604e74c6c212db01	groupmalert.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	groupmalert.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	groupmalert.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECCB368C-2ACD-4C95-8D23-3AE13CFBD4A1}\WpadDecision = "0"	groupmalert.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	groupmalert.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	groupmalert.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	groupmalert.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECCB368C-2ACD-4C95-8D23-3AE13CFBD4A1}\WpadDecisionReason = "1"	groupmalert.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECCB368C-2ACD-4C95-8D23-3AE13CFBD4A1}\WpadNetworkName = "Network 3"	groupmalert.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	groupmalert.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	groupmalert.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	groupmalert.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-8d-06-b5-65-54	groupmalert.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-8d-06-b5-65-54\WpadDecisionTime = 604e74c6c212db01	groupmalert.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-8d-06-b5-65-54\WpadDecision = "0"	groupmalert.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	groupmalert.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECCB368C-2ACD-4C95-8D23-3AE13CFBD4A1}	groupmalert.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2092	groupmalert.exe
2092	groupmalert.exe
2092	groupmalert.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2344	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2948	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
2344	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
2976	groupmalert.exe
2092	groupmalert.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2344	2948	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2344	2948	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2344	2948	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2344	2948	ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2092	2976	groupmalert.exe	33
PID 2976 wrote to memory of 2092	2976	groupmalert.exe	33
PID 2976 wrote to memory of 2092	2976	groupmalert.exe	33
PID 2976 wrote to memory of 2092	2976	groupmalert.exe	33

C:\Users\Admin\AppData\Local\Temp\ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\ff7156dcfa66a4e7094bc5c199a9da43_JaffaCakes118.exe
  --eeb781d1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:2344

C:\Windows\SysWOW64\groupmalert.exe
"C:\Windows\SysWOW64\groupmalert.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\groupmalert.exe
  --2a52c704
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-17-0x0000000000A20000-0x0000000000A37000-memory.dmp

Filesize
92KB

Download
memory/2344-6-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download
memory/2344-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-0-0x00000000003D0000-0x00000000003E7000-memory.dmp

Filesize
92KB

Download
memory/2948-5-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2976-11-0x0000000000900000-0x0000000000917000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing