| ID | X0028 |
| Aliases | Geodo |
| Platforms | Windows |
| Year | 2018 |
| Associated ATT&CK Software | None |
Emotet is a banking trojan. [1]
| Name | Use |
|---|---|
| Execution::Shared Modules (T1129) | Emotet parses PE headers. [6] |
| Name | Use |
|---|---|
| Anti-Static Analysis::Software Packing::Custom Compression (F0001.005) | Emotet uses custom packers which first decrypt the loaders, and then the loaders decrypt and load Emotet's main payloads. [2] |
| Discovery::System Information Discovery (E1082) | Emotet collects information related to OS, processes, and sometimes mail client information and sends it to C2. [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | To start itself at system boot, Emotet adds the downloaded payload to the registry to maintain persistence. [1] |
| Impact::Clipboard Modification (E1510) | Emotet writes clipboard data. [6] |
| Name | Use |
|---|---|
| Anti-Static Analysis::Software Packing::Custom Compression (F0001.005) | Emotet uses custom packers which first decrypt the loaders and the loaders decrypt and load emotet's main payloads [2] |
| Discovery::System Information Discovery (E1082) | Collects information related to os, processes, and sometimes mail client information and sends it to c2 [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | To start itself at system boot, emotet adds the downloaded payload to the registry to maintain persistence [1] |
| Impact::Clipboard Modification (E1510) | Write clipboard data (this capa rule had 1 match) [6] |
| Name | Use |
|---|---|
| Anti-Static Analysis::Executable Code Obfuscation::Junk Code Insertion (B0032.007) | Emotet macros are heavily obfuscated with junk functions and string substitutions. [1] |
| Cryptography::Encrypt Data::RSA (C0027.011) | Emotet uses RSA to encrypt network traffic to its C2. [2] |
| Discovery::Analysis Tool Discovery::Process detection - Debuggers (B0013.002) | If it receives a response from the C2 server stating a debugging-related tool is in the list of running processes, it receives an "upgrade" command which calls the ShellExecuteW function and exits. [3] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Guest Process Testing (B0009.010) | Emotet checks for various processes that are associated with various virtual machines by comparing hash values of the process names with the hash values of the list of running process names. [4] |
| Command and Control::C2 Communication::Request Email Address List (B0030.010) | New email addresses are collected automatically from the victim's address books. [4] |
| Execution::Send Email (B0020) | Spam email with the Emotet loader is sent automatically. [4] |
| Communication::HTTP Communication::Create Request (C0002.012) | Emotet creates a HTTP request. [6] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | Emotet encrypts data using RC4 PRGA. [6] |
| Discovery::Code Discovery::Enumerate PE Sections (B0046.001) | Emotet enumerates PE sections. [6] |
SHA256 Hashes
- eea5a1c7b3cc8350f8d5a95b6e2b7e3701d22cb362f8b988e815789f95c32eca
[1] https://cofense.com/blog/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/
[2] https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
[3] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1
[4] https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/
[5] https://www.f-secure.com/v-descs/trojan_w32_emotet.shtml
[6] capa v4.0, analyzed at MITRE on 10/12/2022