emotet | e4c250d5484cb84c9bb0932f55491edee4904997f065e7e492ae823ed5e94cfd

General

Target

b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
Size

364KB
MD5

b6befef4fe35518e6ec139eb90b549db
SHA1

1059dd200927f4da7cc4be9a182488a00e5b12ce
SHA256

e4c250d5484cb84c9bb0932f55491edee4904997f065e7e492ae823ed5e94cfd
SHA512

c11291da8b8d11c1e8daf3fcefca88573d0d027c1900c85b97cf5ac03bd3a297c7f1e05ff2a08a587f4dd17fb64f7a9b1b0cf8e20a519bbfa7ed86cd4d7efaa8
SSDEEP

6144:1y2JRLj6K2gxsKRTVJO/W5TXfU4qH9qbTebas8PZTwBM:1LJpj6UxTV8/+f00LW

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

185.234.72.64:443

51.68.220.244:8080

206.81.10.215:8080

206.189.112.148:8080

85.104.59.244:20

37.157.194.134:443

31.172.240.91:8080

87.230.19.21:8080

178.209.71.63:8080

95.128.43.213:8080

190.53.135.159:21

144.139.247.220:80

190.211.207.11:443

181.143.194.138:443

87.106.136.232:8080

200.71.148.138:8080

217.160.182.191:8080

50.116.86.205:8080

167.114.242.226:8080

46.105.131.87:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

sitkalua.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat sitkalua.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sitkalua.exe

Modifies data under HKEY_USERS 25 IoCs

Processes:

sitkalua.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadNetworkName = "Network 3"	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\fe-a3-50-a3-bf-31	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = c0d101f26ec0da01	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = a00233ce6ec0da01	sitkalua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDetectedUrl	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}	sitkalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionReason = "1"	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	sitkalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecision = "0"	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = c0d101f26ec0da01	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	sitkalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	sitkalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecision = "0"	sitkalua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sitkalua.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sitkalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionReason = "1"	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sitkalua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = a00233ce6ec0da01	sitkalua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sitkalua.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sitkalua.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

sitkalua.exe

pid process

2704 sitkalua.exe
2704 sitkalua.exe
2704 sitkalua.exe
2704 sitkalua.exe
2704 sitkalua.exe
2704 sitkalua.exe
2704 sitkalua.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe

pid process

2344 b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exeb6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exesitkalua.exesitkalua.exe

pid process

2880 b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
2344 b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
2052 sitkalua.exe
2704 sitkalua.exe

pid	process
2704	sitkalua.exe
2704	sitkalua.exe
2704	sitkalua.exe
2704	sitkalua.exe
2704	sitkalua.exe
2704	sitkalua.exe
2704	sitkalua.exe

pid	process
2344	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe

pid	process
2880	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
2344	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
2052	sitkalua.exe
2704	sitkalua.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exesitkalua.exe

description	pid	process	target process
PID 2880 wrote to memory of 2344	2880	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
PID 2880 wrote to memory of 2344	2880	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
PID 2880 wrote to memory of 2344	2880	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
PID 2880 wrote to memory of 2344	2880	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe	b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
PID 2052 wrote to memory of 2704	2052	sitkalua.exe	sitkalua.exe
PID 2052 wrote to memory of 2704	2052	sitkalua.exe	sitkalua.exe
PID 2052 wrote to memory of 2704	2052	sitkalua.exe	sitkalua.exe
PID 2052 wrote to memory of 2704	2052	sitkalua.exe	sitkalua.exe

C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe
--c01563a7
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\sitkalua.exe
"C:\Windows\SysWOW64\sitkalua.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\sitkalua.exe
--f7bddfb6
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-11-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/2344-6-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2344-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2880-0-0x00000000003C0000-0x00000000003D7000-memory.dmp

Filesize
92KB

Download
memory/2880-5-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing