Malware Analysis Report

2025-01-03 05:59

Sample ID 240426-myxfyaeh21
Target 009a1b500d89734904b13817cb5f7b53_JaffaCakes118
SHA256 0661773e64fcd9c32d644fe14211e36676ff706650226ead305a2d012198856c
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0661773e64fcd9c32d644fe14211e36676ff706650226ead305a2d012198856c

Threat Level: Known bad

The file 009a1b500d89734904b13817cb5f7b53_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 10:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 10:52

Reported

2024-04-26 10:55

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\uicom\tapiui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\uicom\tapiui.exe C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe"

C:\Windows\SysWOW64\uicom\tapiui.exe

"C:\Windows\SysWOW64\uicom\tapiui.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
JP 118.243.83.70:80 tcp
DE 5.189.168.53:8080 tcp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp
FI 95.216.205.155:8080 tcp
US 50.116.78.109:8080 tcp

Files

memory/2944-4-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/2944-7-0x0000000002390000-0x000000000239F000-memory.dmp

memory/2944-0-0x00000000023A0000-0x00000000023B2000-memory.dmp

C:\Windows\SysWOW64\uicom\tapiui.exe

MD5 009a1b500d89734904b13817cb5f7b53
SHA1 8645872194e5c3d3e190ad868b6a0497fbfcb895
SHA256 0661773e64fcd9c32d644fe14211e36676ff706650226ead305a2d012198856c
SHA512 bb3ab9cda7679bbe08b18f4e532b290464860884093527c0e47a5b866ea97c940c673d1f9ab95a71adc9f6d4ff0efae009a9a30435f283a0d88600c52548be9c

memory/2944-9-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3696-14-0x0000000002810000-0x0000000002820000-memory.dmp

memory/3696-10-0x0000000002270000-0x0000000002282000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 10:52

Reported

2024-04-26 10:55

Platform

win7-20240221-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\009a1b500d89734904b13817cb5f7b53_JaffaCakes118.exe"

Network

Country Destination Domain Proto
JP 118.243.83.70:80 tcp
JP 118.243.83.70:80 tcp
DE 5.189.168.53:8080 tcp
DE 5.189.168.53:8080 tcp
US 162.241.41.111:7080 tcp
US 162.241.41.111:7080 tcp

Files

memory/2020-0-0x00000000002F0000-0x0000000000302000-memory.dmp

memory/2020-5-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2020-2-0x00000000002E0000-0x00000000002EF000-memory.dmp