emotet | 854e7da2ffe2c9aa706bf7fba31b42138544b2335e76c0c205b57ce95bae80e2

General

Target

b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
Size

376KB
MD5

b0cdec47e68ed0ed86889da8292ee1e7
SHA1

9f8f7380070af99b7a5d6633cea86e151c4758ed
SHA256

854e7da2ffe2c9aa706bf7fba31b42138544b2335e76c0c205b57ce95bae80e2
SHA512

0ebbad6ffaec2dc63c3a5f499c5c32a2599790f12a15ace782f144418e7294a4a4032c81166dd6852b1fd5041a0c13421cf917765620ae91217432d242513508
SSDEEP

6144:zWKg4vCS9iocEDzogURsxLPH1wvR19SrIya/35VdRjjhowIIyK:ooc0zogUiZw518rgbvawl

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

173.247.19.238:80

174.81.132.128:80

211.44.35.111:80

165.227.156.155:443

167.99.105.223:7080

67.225.179.64:8080

176.31.200.130:8080

104.131.11.150:8080

68.118.26.116:80

190.226.44.20:21

120.150.246.241:80

92.222.216.44:8080

73.214.99.25:80

110.142.38.16:80

24.93.212.32:80

190.53.135.159:21

66.209.97.122:8080

173.91.11.142:80

100.14.117.137:80

2.237.76.249:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

trnsraw.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat trnsraw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	trnsraw.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

trnsraw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	trnsraw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	trnsraw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0128000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	trnsraw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	trnsraw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FE634AF-CE7D-4DD8-91A1-23CD350740DA}\WpadDecision = "0"	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f9-ec-44-58-91	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FE634AF-CE7D-4DD8-91A1-23CD350740DA}\6a-f9-ec-44-58-91	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	trnsraw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	trnsraw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	trnsraw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FE634AF-CE7D-4DD8-91A1-23CD350740DA}\WpadNetworkName = "Network 3"	trnsraw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FE634AF-CE7D-4DD8-91A1-23CD350740DA}\WpadDecisionReason = "1"	trnsraw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FE634AF-CE7D-4DD8-91A1-23CD350740DA}\WpadDecisionTime = e0b487a880bfda01	trnsraw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f9-ec-44-58-91\WpadDecisionReason = "1"	trnsraw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f9-ec-44-58-91\WpadDecisionTime = e0b487a880bfda01	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	trnsraw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	trnsraw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FE634AF-CE7D-4DD8-91A1-23CD350740DA}	trnsraw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f9-ec-44-58-91\WpadDecision = "0"	trnsraw.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

trnsraw.exe

pid process

2136 trnsraw.exe
2136 trnsraw.exe
2136 trnsraw.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe

pid process

1508 b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exeb0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exetrnsraw.exetrnsraw.exe

pid process

2356 b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
1508 b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
2996 trnsraw.exe
2136 trnsraw.exe

pid	process
2136	trnsraw.exe
2136	trnsraw.exe
2136	trnsraw.exe

pid	process
1508	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe

pid	process
2356	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
1508	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
2996	trnsraw.exe
2136	trnsraw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exetrnsraw.exe

description	pid	process	target process
PID 2356 wrote to memory of 1508	2356	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
PID 2356 wrote to memory of 1508	2356	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
PID 2356 wrote to memory of 1508	2356	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
PID 2356 wrote to memory of 1508	2356	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe	b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
PID 2996 wrote to memory of 2136	2996	trnsraw.exe	trnsraw.exe
PID 2996 wrote to memory of 2136	2996	trnsraw.exe	trnsraw.exe
PID 2996 wrote to memory of 2136	2996	trnsraw.exe	trnsraw.exe
PID 2996 wrote to memory of 2136	2996	trnsraw.exe	trnsraw.exe

C:\Users\Admin\AppData\Local\Temp\b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\b0cdec47e68ed0ed86889da8292ee1e7_JaffaCakes118.exe
--67a723fd
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\trnsraw.exe
"C:\Windows\SysWOW64\trnsraw.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\trnsraw.exe
--e070223b
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-6-0x0000000000300000-0x0000000000317000-memory.dmp

Filesize
92KB

Download
memory/1508-16-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2136-17-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2356-0-0x00000000003C0000-0x00000000003D7000-memory.dmp

Filesize
92KB

Download
memory/2356-5-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2996-11-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing