emotet | d67ffbff735113dee6060136bbe9d0f6d44a3026a2f4b57285ffeed2ce39cf61

General

Target

b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
Size

603KB
MD5

b667d95eb7bb68cb705d4e03ec3c82e0
SHA1

c8f50e51260dd21469da203fe630171695c0cd47
SHA256

d67ffbff735113dee6060136bbe9d0f6d44a3026a2f4b57285ffeed2ce39cf61
SHA512

e14bb85150bd66f43e64c309b9019a4d9536709b8c3f190fcd39609d061230315d07a02af3c6cb0e5c933af4d179dd97f3fbb196cf95897e1db8440cf00c73c3
SSDEEP

12288:BkfdhQmseiH0lXPftSfWOOOR9tQdj363A+S:BEqcftSLVQdj363A+S

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

2.38.99.79:80

98.24.231.64:80

47.156.70.145:80

37.59.24.177:8080

66.34.201.20:7080

108.179.206.219:8080

45.56.88.91:443

206.189.112.148:8080

120.150.246.241:80

190.56.255.118:80

200.71.148.138:8080

192.241.255.77:8080

211.63.71.72:8080

190.53.135.159:21

183.102.238.69:465

108.191.2.72:80

107.170.24.125:8080

167.114.242.226:8080

91.73.197.90:80

178.209.71.63:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

appidattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	appidattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	appidattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	appidattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	appidattrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

appidattrib.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	appidattrib.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	appidattrib.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	appidattrib.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

appidattrib.exe

pid process

2444 appidattrib.exe
2444 appidattrib.exe
2444 appidattrib.exe
2444 appidattrib.exe
2444 appidattrib.exe
2444 appidattrib.exe
2444 appidattrib.exe
2444 appidattrib.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe

pid process

4816 b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe

pid	process
2444	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe

pid	process
4816	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exeb667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exeappidattrib.exeappidattrib.exe

pid	process
1744	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
1744	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
4816	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
4816	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
4580	appidattrib.exe
4580	appidattrib.exe
2444	appidattrib.exe
2444	appidattrib.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exeappidattrib.exe

description	pid	process	target process
PID 1744 wrote to memory of 4816	1744	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
PID 1744 wrote to memory of 4816	1744	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
PID 1744 wrote to memory of 4816	1744	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe	b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
PID 4580 wrote to memory of 2444	4580	appidattrib.exe	appidattrib.exe
PID 4580 wrote to memory of 2444	4580	appidattrib.exe	appidattrib.exe
PID 4580 wrote to memory of 2444	4580	appidattrib.exe	appidattrib.exe

C:\Users\Admin\AppData\Local\Temp\b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\b667d95eb7bb68cb705d4e03ec3c82e0_JaffaCakes118.exe
--72ab39cb
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\SysWOW64\appidattrib.exe
"C:\Windows\SysWOW64\appidattrib.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\appidattrib.exe
--861d9fdc
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-0-0x00000000021D0000-0x00000000021E7000-memory.dmp

Filesize
92KB

Download
memory/1744-5-0x0000000002110000-0x0000000002121000-memory.dmp

Filesize
68KB

Download
memory/2444-19-0x0000000000E70000-0x0000000000E87000-memory.dmp

Filesize
92KB

Download
memory/4580-13-0x0000000000D00000-0x0000000000D17000-memory.dmp

Filesize
92KB

Download
memory/4816-6-0x00000000021A0000-0x00000000021B7000-memory.dmp

Filesize
92KB

Download
memory/4816-11-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4816-18-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads