Emotet Banking Trojan 2017-08-14 MalSpam

Subject: #413467 Invoice Notice

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-08-14-Emotet1-pcap.zip
2017-08-14-Emotet2-pcap.zip

 

Shown above: Email with link to Macro Word Document to begin infection chain

 

Shown above: Macro Word Document leading to the download and installation of the Emotet Banking Trojan

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 108.174.202.34 – seodrama.com GET /QJIL662797/ – Macro Word Doc
  • 208.113.163.189 – trevorcameron.com GET /LSnmkxT/ – Emotet Download
  • 77.244.245.37 – Port 7080 POST / – Emotet C2
  • 192.81.212.79 – Port 443 – Emotet C2
  • 168.235.85.153 – Port 443 – Emotet C2
  • 167.114.229.71 – Port 7080 POST / – Emotet C2
  • 77.73.1.167 – Port 7080 POST / – Emotet C2
  • 104.236.252.178 – Port 8080 – SYN RST,ACK
  • 173.212.192.45 – Port 8080 – SYN RST,ACK
  • 103.16.131.20 – Port 8080 – SYN RST,ACK
  • 195.78.33.200 – Port 8080 – SYN RST,ACK
  • 5.189.134.30 – Port 8080 – SYN RST,ACK

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Emotet Banking Trojan on the first infection attempt.

 

Shown above: HTTP network traffic  associated with the Emotet Banking Trojan on the second infection attempt.

 

Shown above: SSL and C2 connection attempts associated with the Emotet Banking Trojan on the second infection attempt.

 

Shown above: Post infection traffic associated with the Emotet Banking Trojan.

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: