Skip to content

Latest commit

 

History

History
84 lines (63 loc) · 4.74 KB

emotet.md

File metadata and controls

84 lines (63 loc) · 4.74 KB
ID X0028
Aliases Geodo
Platforms Windows
Year 2018
Associated ATT&CK Software None

Emotet

Emotet is a banking trojan. [1]

ATT&CK Techniques

Name Use
Execution::Shared Modules (T1129) Emotet parses PE headers. [6]

Enhanced ATT&CK Techniques

Name Use
Anti-Static Analysis::Software Packing::Custom Compression (F0001.005) Emotet uses custom packers which first decrypt the loaders, and then the loaders decrypt and load Emotet's main payloads. [2]
Discovery::System Information Discovery (E1082) Emotet collects information related to OS, processes, and sometimes mail client information and sends it to C2. [2]
Persistence::Registry Run Keys / Startup Folder (F0012) To start itself at system boot, Emotet adds the downloaded payload to the registry to maintain persistence. [1]
Impact::Clipboard Modification (E1510) Emotet writes clipboard data. [6]
Name Use
Anti-Static Analysis::Software Packing::Custom Compression (F0001.005) Emotet uses custom packers which first decrypt the loaders and the loaders decrypt and load emotet's main payloads [2]
Discovery::System Information Discovery (E1082) Collects information related to os, processes, and sometimes mail client information and sends it to c2 [2]
Persistence::Registry Run Keys / Startup Folder (F0012) To start itself at system boot, emotet adds the downloaded payload to the registry to maintain persistence [1]
Impact::Clipboard Modification (E1510) Write clipboard data (this capa rule had 1 match) [6]

MBC Behaviors

Name Use
Anti-Static Analysis::Executable Code Obfuscation::Junk Code Insertion (B0032.007) Emotet macros are heavily obfuscated with junk functions and string substitutions. [1]
Cryptography::Encrypt Data::RSA (C0027.011) Emotet uses RSA to encrypt network traffic to its C2. [2]
Discovery::Analysis Tool Discovery::Process detection - Debuggers (B0013.002) If it receives a response from the C2 server stating a debugging-related tool is in the list of running processes, it receives an "upgrade" command which calls the ShellExecuteW function and exits. [3]
Anti-Behavioral Analysis::Virtual Machine Detection::Guest Process Testing (B0009.010) Emotet checks for various processes that are associated with various virtual machines by comparing hash values of the process names with the hash values of the list of running process names. [4]
Command and Control::C2 Communication::Request Email Address List (B0030.010) New email addresses are collected automatically from the victim's address books. [4]
Execution::Send Email (B0020) Spam email with the Emotet loader is sent automatically. [4]
Communication::HTTP Communication::Create Request (C0002.012) Emotet creates a HTTP request. [6]
Cryptography::Encrypt Data::RC4 (C0027.009) Emotet encrypts data using RC4 PRGA. [6]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001) Emotet enumerates PE sections. [6]

Indicators of Compromise

SHA256 Hashes

  • eea5a1c7b3cc8350f8d5a95b6e2b7e3701d22cb362f8b988e815789f95c32eca

References

[1] https://cofense.com/blog/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/

[2] https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf

[3] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1

[4] https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/

[5] https://www.f-secure.com/v-descs/trojan_w32_emotet.shtml

[6] capa v4.0, analyzed at MITRE on 10/12/2022