emotet | 67001f1c08635f7e1b60359d7a6d9cb434609ba706c46bb976692958cc7ff3ef

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
Size

244KB
MD5

0be35bf9a73b075168b115383cc3820b
SHA1

007f47a16f2eab9393791a2b2e3df312acad185e
SHA256

67001f1c08635f7e1b60359d7a6d9cb434609ba706c46bb976692958cc7ff3ef
SHA512

0a521db060fbe97d316e32fabc655e7a2bc80b31116ffe2501e8f87b292f135b2486204444af6e6e915c0b04c0cc82508a3e101201a150cde104341c92a33153
SSDEEP

3072:/6nl1RuGUvgeg55WRYrp3s9W3Heu65IZwC/6:yn7rUvTGBp3qW3Heij/6

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

jerseyrepl.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat jerseyrepl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	jerseyrepl.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

jerseyrepl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	jerseyrepl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	jerseyrepl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3E05670-F19B-4608-B407-BAF8EC595068}\4e-54-96-12-e1-d8	jerseyrepl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-54-96-12-e1-d8\WpadDecisionReason = "1"	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	jerseyrepl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	jerseyrepl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-54-96-12-e1-d8\WpadDecision = "0"	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	jerseyrepl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3E05670-F19B-4608-B407-BAF8EC595068}\WpadDecision = "0"	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-54-96-12-e1-d8	jerseyrepl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	jerseyrepl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	jerseyrepl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3E05670-F19B-4608-B407-BAF8EC595068}	jerseyrepl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3E05670-F19B-4608-B407-BAF8EC595068}\WpadDecisionReason = "1"	jerseyrepl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3E05670-F19B-4608-B407-BAF8EC595068}\WpadDecisionTime = a0142df7a1c6da01	jerseyrepl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3E05670-F19B-4608-B407-BAF8EC595068}\WpadNetworkName = "Network 3"	jerseyrepl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-54-96-12-e1-d8\WpadDecisionTime = a0142df7a1c6da01	jerseyrepl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	jerseyrepl.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exejerseyrepl.exejerseyrepl.exe

pid	process
2076	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
2308	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
2976	jerseyrepl.exe
3028	jerseyrepl.exe
3028	jerseyrepl.exe
3028	jerseyrepl.exe
3028	jerseyrepl.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe

pid process

2308 0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
Suspicious use of UnmapMainImage 4 IoCs

Processes:

0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exejerseyrepl.exejerseyrepl.exe

pid process

2076 0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
2308 0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
2976 jerseyrepl.exe
3028 jerseyrepl.exe

pid	process
2308	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exejerseyrepl.exe

description	pid	process	target process
PID 2076 wrote to memory of 2308	2076	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
PID 2076 wrote to memory of 2308	2076	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
PID 2076 wrote to memory of 2308	2076	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
PID 2076 wrote to memory of 2308	2076	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe	0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
PID 2976 wrote to memory of 3028	2976	jerseyrepl.exe	jerseyrepl.exe
PID 2976 wrote to memory of 3028	2976	jerseyrepl.exe	jerseyrepl.exe
PID 2976 wrote to memory of 3028	2976	jerseyrepl.exe	jerseyrepl.exe
PID 2976 wrote to memory of 3028	2976	jerseyrepl.exe	jerseyrepl.exe

C:\Users\Admin\AppData\Local\Temp\0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0be35bf9a73b075168b115383cc3820b_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:2308

C:\Windows\SysWOW64\jerseyrepl.exe
"C:\Windows\SysWOW64\jerseyrepl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\jerseyrepl.exe
"C:\Windows\SysWOW64\jerseyrepl.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-0-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/2076-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2076-4-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/2308-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2308-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2308-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2976-6-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download