Malware Analysis Report

2025-01-03 05:59

Sample ID 240426-24dy4seh2t
Target 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118
SHA256 2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958

Threat Level: Known bad

The file 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 23:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 23:07

Reported

2024-04-26 23:10

Platform

win7-20240419-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rpchttp\dmdlgs.exe C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\rpchttp\dmdlgs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"

C:\Windows\SysWOW64\rpchttp\dmdlgs.exe

"C:\Windows\SysWOW64\rpchttp\dmdlgs.exe"

Network

Country Destination Domain Proto
JP 49.243.9.118:80 tcp
JP 49.243.9.118:80 tcp
US 162.241.41.111:7080 tcp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp
CO 190.85.46.52:7080 tcp
US 162.144.42.60:8080 tcp

Files

memory/1824-7-0x00000000002D0000-0x00000000002DF000-memory.dmp

memory/1824-4-0x0000000000300000-0x0000000000310000-memory.dmp

memory/1824-0-0x00000000002E0000-0x00000000002F2000-memory.dmp

memory/1824-9-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\rpchttp\dmdlgs.exe

MD5 01df36c8891a9ce3570cad7f06bc2914
SHA1 8fb82853c826f20245bba22edcb0d963ef04f624
SHA256 2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958
SHA512 66636dc4f45898d8aa2fd1aabf6f027fd4a47dcbba2c62fa9246207a6e8a86c0ca5c40e8f5ecf76e5625ab97755b76e3f169167d3a3b0a582f6dcda7f8d7e8e3

memory/2556-14-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2556-10-0x00000000003D0000-0x00000000003E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 23:07

Reported

2024-04-26 23:10

Platform

win10v2004-20240419-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\itircl\netlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\itircl\netlogon.exe C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\itircl\netlogon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"

C:\Windows\SysWOW64\itircl\netlogon.exe

"C:\Windows\SysWOW64\itircl\netlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
JP 49.243.9.118:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp
US 162.144.42.60:8080 tcp
US 157.245.138.101:7080 tcp
IN 103.133.66.57:443 tcp

Files

memory/1596-0-0x00000000007B0000-0x00000000007C2000-memory.dmp

memory/1596-4-0x0000000002270000-0x0000000002280000-memory.dmp

memory/1596-7-0x00000000007A0000-0x00000000007AF000-memory.dmp

C:\Windows\SysWOW64\itircl\netlogon.exe

MD5 01df36c8891a9ce3570cad7f06bc2914
SHA1 8fb82853c826f20245bba22edcb0d963ef04f624
SHA256 2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958
SHA512 66636dc4f45898d8aa2fd1aabf6f027fd4a47dcbba2c62fa9246207a6e8a86c0ca5c40e8f5ecf76e5625ab97755b76e3f169167d3a3b0a582f6dcda7f8d7e8e3

memory/1596-9-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4156-14-0x0000000002190000-0x00000000021A0000-memory.dmp

memory/4156-10-0x0000000002170000-0x0000000002182000-memory.dmp