emotet | 105621308da39fce8b0d745cdccd592867d5084b4a7c2b9e31bbbfd912bb12f6

General

Target

d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
Size

132KB
MD5

d53561bc250a8df21c55d281333c53c2
SHA1

b2dcbed70e532d3f5ccadb7d6b12ca0a3a503b93
SHA256

105621308da39fce8b0d745cdccd592867d5084b4a7c2b9e31bbbfd912bb12f6
SHA512

0cad4886729121ea6f8112ad63b9c49529afcebf06f1702e6478d22722857db6f171eb9e2919b36cf0962067e1d4921cb9aa71c0960247d63c6736f173f1f2ec
SSDEEP

3072:LHDv/Dl8pso19eRgoenWp54iF5WpS8hdiNYXpFOeGFs:LHfl8WoTzoeWf4Y5sS8ziNy

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hexaelement.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hexaelement.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1364	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
1364	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
4276	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
4276	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
3256	hexaelement.exe
3256	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe
2112	hexaelement.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1364	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
4276	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
3256	hexaelement.exe
2112	hexaelement.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4276	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4276	1364	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe	83
PID 1364 wrote to memory of 4276	1364	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe	83
PID 1364 wrote to memory of 4276	1364	d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe	83
PID 3256 wrote to memory of 2112	3256	hexaelement.exe	85
PID 3256 wrote to memory of 2112	3256	hexaelement.exe	85
PID 3256 wrote to memory of 2112	3256	hexaelement.exe	85

C:\Users\Admin\AppData\Local\Temp\d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d53561bc250a8df21c55d281333c53c2_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: RenamesItself
  PID:4276

C:\Windows\SysWOW64\hexaelement.exe
"C:\Windows\SysWOW64\hexaelement.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\hexaelement.exe
  "C:\Windows\SysWOW64\hexaelement.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-0-0x0000000001080000-0x0000000001099000-memory.dmp

Filesize
100KB

Download
memory/1364-1-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/1364-6-0x0000000001490000-0x00000000014B0000-memory.dmp

Filesize
128KB

Download
memory/1364-5-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/1364-14-0x0000000001080000-0x0000000001099000-memory.dmp

Filesize
100KB

Download
memory/2112-32-0x0000000000670000-0x0000000000689000-memory.dmp

Filesize
100KB

Download
memory/2112-23-0x0000000000670000-0x0000000000689000-memory.dmp

Filesize
100KB

Download
memory/2112-28-0x00000000007D0000-0x00000000007F0000-memory.dmp

Filesize
128KB

Download
memory/2112-27-0x00000000007B0000-0x00000000007C9000-memory.dmp

Filesize
100KB

Download
memory/2112-22-0x00000000007B0000-0x00000000007C9000-memory.dmp

Filesize
100KB

Download
memory/3256-19-0x0000000000F30000-0x0000000000F49000-memory.dmp

Filesize
100KB

Download
memory/3256-15-0x0000000000F30000-0x0000000000F49000-memory.dmp

Filesize
100KB

Download
memory/3256-20-0x0000000000DF0000-0x0000000000E09000-memory.dmp

Filesize
100KB

Download
memory/3256-21-0x00000000015A0000-0x00000000015C0000-memory.dmp

Filesize
128KB

Download
memory/3256-29-0x0000000000DF0000-0x0000000000E09000-memory.dmp

Filesize
100KB

Download
memory/4276-7-0x0000000000FA0000-0x0000000000FB9000-memory.dmp

Filesize
100KB

Download
memory/4276-12-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/4276-13-0x0000000000FC0000-0x0000000000FE0000-memory.dmp

Filesize
128KB

Download
memory/4276-30-0x0000000000F50000-0x0000000000F73000-memory.dmp

Filesize
140KB

Download
memory/4276-31-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/4276-11-0x0000000000FA0000-0x0000000000FB9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing