Malware Analysis Report

2025-01-03 05:59

Sample ID 240426-wjh5fahg9x
Target 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118
SHA256 308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16

Threat Level: Known bad

The file 01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 17:56

Reported

2024-04-26 17:59

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"

Network

Country Destination Domain Proto
JP 49.243.9.118:80 tcp
JP 49.243.9.118:80 tcp
US 162.241.41.111:7080 tcp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp
CO 190.85.46.52:7080 tcp
US 162.144.42.60:8080 tcp

Files

memory/1708-7-0x0000000000220000-0x000000000022F000-memory.dmp

memory/1708-4-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1708-0-0x0000000000230000-0x0000000000242000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 17:56

Reported

2024-04-26 17:59

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RegCtrl\iexpress.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\RegCtrl\iexpress.exe C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\RegCtrl\iexpress.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01564c2faeacef4115a7eb8ba57262c3_JaffaCakes118.exe"

C:\Windows\SysWOW64\RegCtrl\iexpress.exe

"C:\Windows\SysWOW64\RegCtrl\iexpress.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
JP 49.243.9.118:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp
US 162.144.42.60:8080 tcp
US 157.245.138.101:7080 tcp
IN 103.133.66.57:443 tcp

Files

memory/1492-0-0x0000000000660000-0x0000000000672000-memory.dmp

memory/1492-4-0x0000000000680000-0x0000000000690000-memory.dmp

memory/1492-7-0x0000000000640000-0x000000000064F000-memory.dmp

C:\Windows\SysWOW64\RegCtrl\iexpress.exe

MD5 01564c2faeacef4115a7eb8ba57262c3
SHA1 7e111947e90eb0cb5efe018ae88ce26b84cdf462
SHA256 308d767f5cc0c83e4bdf1d286d6ffdcac5889ee56d4d91fb01908b163ded2b16
SHA512 97fc8b98e675f22ed5b307da26761af0ae929d89876d39512cb57b7d6ca3b5c5e903d701d0af69b742bcdf313cdf35436610a051a4c6a50367104df808e4537c

memory/1492-9-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2664-14-0x00000000022B0000-0x00000000022C0000-memory.dmp

memory/2664-10-0x0000000002290000-0x00000000022A2000-memory.dmp