{
	"id": "7cb298b7-d337-48bb-875b-59d9674c978c",
	"created_at": "2026-04-06T00:12:06.891098Z",
	"updated_at": "2026-04-10T13:12:09.904852Z",
	"deleted_at": null,
	"sha1_hash": "33a813a3c8b3fcab97ccc9c9015d5b793d88dc6b",
	"title": "How to Respond to Emotet Infection (FAQ) - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1536034,
	"plain_text": "How to Respond to Emotet Infection (FAQ) - JPCERT/CC Eyes\r\nBy 佐條 研(Ken Sajo)\r\nPublished: 2019-12-03 · Archived: 2026-04-05 21:42:29 UTC\r\nSince October 2019, there has been a growing number of Emotet infection cases in Japan. JPCERT/CC issued a\r\nsecurity alert as follows:\r\nAlert Regarding Emotet Malware Infection\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nThe purpose of this entry is to provide instructions on how to check if you are infected with Emotet and what you\r\ncan do in case of infection (based on the information available as of December 2019). If you are not familiar with\r\nthe detailed investigation methods described here, it is recommended that you consult with security vendors who\r\ncan assist you.\r\nWe have been informed of emails impersonating someone. What can we do?\r\nWhen suspicious email impersonating someone with an attachment is received, it is possible that either of the\r\nfollowing events has occurred:\r\nA) The device that uses the sender’s account is infected with Emotet, and information about emails and contact list\r\nhave been stolen.\r\nB) Partners and users (with whom you have exchanged emails) have been infected with Emotet, and their contact\r\nlist has been stolen. (The recipients of the malicious email have not been infected with Emotet, but the email\r\naddress has been added to the lists of recipients.)\r\nIf the email referring to an actual message body (Figure 1) is received, the device that uses the sender’s email\r\naccount is likely to be infected (case A).\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 1 of 16\n\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 2 of 16\n\nFigure 1：Example of Emotet email in reply to an existing thread (A)\r\nIn case of an email as in Figure 2, it is assumed that the email is auto-generated to disguise itself as a reply to a\r\nthread. Both A) and B) can apply to this case, and it is unclear whether the device that uses the email account is\r\ninfected or not.\r\nFigure 2：Example of email disguising as a reply (B)\r\nWhat can we do to check whether we are infected with Emotet or not?\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 3 of 16\n\n(Updated on 6 February, 2020)\r\nJPCERT/CC released a tool “EmoCheck” to check whether a device is infected with Emotet. See below for\r\ninstruction.\r\n1. Check Emotet infection with EmoCheck\r\n1-1.Download EmoCheck\r\nPlease download EmoCheck from the following website and copy it to the device that is suspected of being\r\ninfected. Please choose emocheck_x86.exe or emocheck_x64.exe depending on the device. (If you are not sure\r\nwhich to use, choose emocheck_x86.exe.)\r\nJPCERTCC/EmoCheck - GitHub\r\nNote: Since Emotet is no longer detectable, the EmoCheck service has been discontinued.\r\n1-2.Execute EmoCheck\r\nExecute the tool using the Command Prompt or PowerShell.\r\n(Note: If you execute the program by double-clicking, it will be blocked by Windows Defender Smart Screen as it\r\ndoes not have a Code Signing Certificate. We are now working to rectify the issue in the next release.)\r\nIf you see the message “[!!] Detected” as follows, your device is infected with Emotet.\r\nFigure 5: Emotet infection detected by EmoCheck\r\nThe result is also exported in .txt file in the folder where EmoCheck was executed.\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 4 of 16\n\nFigure 6: Emotet result output\r\nIf you see the message “No detection.”, your device is not infected with Emotet.\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 5 of 16\n\nFigure 7: Emotet infection not detected\r\n1-3. How to deal with the infection\r\nIf an infection has been found in your environment, you can deactivate the malware by either of the following\r\nways:\r\nOn Explorer, open the “image path” folder which is shown in the EmoCheck result and delete the executable file\r\nin the folder.\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 6 of 16\n\nFigure 8: Image path that stores Emotet (example)\r\nLaunch Task Manager, and in the “details” tab, choose the process ID which corresponds to the process shown in\r\nthe EmoCheck result. Click “End Process”.\r\nFigure 9: Choose Process ID\r\nIf you are not able to confirm Emotet infection with EmoCheck, please follow the below instruction to confirm.\r\n1. Confirm with the impersonated person\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 7 of 16\n\nCheck whether the person opened the suspicious attachment and saw the messages in the sample screenshots (See\r\nReference “The screenshots of the attached Word file”). If they have seen one of the messages, check whether the\r\nmacro is enabled on their device. If the macro is enabled, it is possible that the device is infected with malware.\r\n2. Perform the scan with anti-virus software\r\nPerform device scan with the latest anti-virus signatures.\r\n*Emotet has many variants, and even the latest signatures may not be able to detect infection for a few days. No\r\ndetection does not necessarily mean no infection. It is recommended to update the signatures and conduct the scan\r\nregularly.\r\n3. Check auto-start settings\r\nEmotet has several methods for maintaining persistence such as setting auto-start registry keys, save the payload\r\ninto Startup folder, etc.\r\nCheck the following settings and confirm that suspicious file or setting does not exist.\r\n[Typical Windows OS auto-start settings]\r\nAuto-start registry [*1]\r\nTask Scheduler\r\nService\r\nStartup folder\r\n(*1) 　HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n[Folders that Emotet is likely to be located]\r\nFolders under C:\\Users(username)\\AppData\\Local\\\r\nC:\\ProgramData\\\r\nC:\\Windows\\system32\\\r\nC:\\\r\nC:\\Windows\r\nC:\\Windows\\Syswow64\r\n*If there is a suspicious executable file under C:\\ProgramData\\ that is registered in the Task Scheduler, it is likely\r\nthat the device is also infected with Trickbot.\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 8 of 16\n\nFigure 3: Example of Emotet registered in the Auto-start Registry [*1]\r\n(*Folder names and executable file names are randomly created for each device.)\r\n4. Check email server log\r\nCheck the following points in your email server logs:\r\nHigh volume of impersonating emails whose HeaderFrom and EnvelopFrom do not match\r\nUnusual increase in the volume of outbound emails\r\nHigh volume of emails with a Word file attachment\r\n5. Check network traffic log\r\nIf you record/monitor outbound communication, check proxy and firewall logs for any suspicious access to\r\nmultiple ports (C\u0026C server) from a single device.\r\n[Example of ports that Emotet uses]\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 9 of 16\n\n20/TCP, 22/TCP, 80/TCP, 443/TCP, 446/TCP, 447/TCP, 449/TCP,465/TCP, 7080/TCP, 8080/TCP, 8090/TCP etc.\r\nFigure 4：C\u0026C communication by Emotet (*Destination IP differs by sample)\r\nWhat can we do when we find Emotet infection?\r\n1. Isolate the infected device, preserve evidence and investigate affected area\r\nPreserve evidence of the infected device\r\nCheck the emails stored in the device and email addresses in the contact list (These may have been leaked)\r\n2. Change password of email accounts etc. used in the infected device\r\nEmail accounts used in Outlook and Thunderbird\r\nCredentials stored in Web browsers\r\n3. Investigate all devices in the network to which the infected device was connected\r\nCheck other devices in the network as the malware is capable of spreading infection by lateral movement\r\nThe following TTPs have been confirmed for lateral movement:\r\nLeverage SMB vulnerability (EternalBlue)\r\nLog on to Windows network\r\nUse Administrative share\r\nRegister services\r\n4. Monitor network traffic log\r\nMake sure that the infected device is isolated and check whether there is any other infected device\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 10 of 16\n\n5. Check other malware infection\r\nCheck whether the infected device is also infected with other types of malware as Emotet is capable of\r\ninfecting the device with other types of malware. If this happens, further investigation and response is\r\nrequired.\r\nSome victims in Japan have also been infected with banking trojans such as Ursnif and Trickbot\r\nVictims overseas were also found infected with targeted ransomware\r\n6. Alert stakeholders who may also be affected (whose email addresses have been stolen by the attacker)\r\nEmails and email addresses in the contact list in the case A\r\nIssue a press release if a wide range of stakeholders may be affected.\r\n7. Initialise the infected device\r\nHow can we stop emails being sent from stolen accounts?\r\nIf emails and email addresses are stolen as a result of Emotet infection, impersonating emails with a malicious\r\nattachment will be sent continuously. Information of the stolen email addresses (message body and contact lists)\r\nare collected in the attack infrastructure, and this is used to distribute malware-attached emails. There is no way to\r\nstop emails from being sent.\r\nIt is likely that the recipients will continue to receive malware-attached emails repeatedly or impersonating emails\r\nwill be sent to the stolen contacts. Please beware not to open suspicious email attachments. It is also\r\nrecommended to perform the scan with the latest anti-virus signatures and make sure that your OS and software\r\nare running with the latest security updates.\r\nWhat impact is expected if a device is infected with Emotet?\r\nEmotet infection leads to exfiltration of emails and email addresses. Credentials stored in Web browsers can be\r\nharvested. It is also possible that the infection spreads to other devices in the network and that devices are at the\r\nrisk of being infected with other types of malware such as banking trojans and ransomware.\r\nWhat can we do to prevent Emotet infection?\r\nPlease refer to JPCERT/CC’s security alert for details.\r\nAlert Regarding Emotet Malware Infection\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\n(Reference) “The screenshots of the attached Word file”\r\nSince October 2019, the following 6 types of Word files leading to Emotet infection have been observed.\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 11 of 16\n\nFigure 5： Attached file example 1 (since 2019/11/26)\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 12 of 16\n\nFigure 6： Attached file example 2 (since 2019/10/30)\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 13 of 16\n\nFigure 7： Attached file example 3\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 14 of 16\n\nFigure 8： Attached file example 4\r\n \r\nFigure 9： Attached file example 5\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 15 of 16\n\nFigure 10： Attached file example 6\r\n- Ken Sajo\r\n(Translated by Yukako Uchida)\r\nSource: https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nhttps://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html"
	],
	"report_names": [
		"emotetfaq.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434326,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33a813a3c8b3fcab97ccc9c9015d5b793d88dc6b.pdf",
		"text": "https://archive.orkl.eu/33a813a3c8b3fcab97ccc9c9015d5b793d88dc6b.txt",
		"img": "https://archive.orkl.eu/33a813a3c8b3fcab97ccc9c9015d5b793d88dc6b.jpg"
	}
}