Malware Analysis Report

2025-01-03 05:51

Sample ID 240502-ffkk4ahc4x
Target 0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118
SHA256 484623515f85800e0f53f25dd9a5bedc192975351b4aaa174d2354b632f4216f
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

484623515f85800e0f53f25dd9a5bedc192975351b4aaa174d2354b632f4216f

Threat Level: Known bad

The file 0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 04:48

Reported

2024-05-02 04:51

Platform

win7-20240220-en

Max time kernel

131s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\deploynic.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDetectedUrl C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0134000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\deploynic.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\ca-d7-91-d0-6c-46 C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecisionTime = b0f39a564c9cda01 C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0134000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\deploynic.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecisionReason = "1" C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46 C:\Windows\SysWOW64\deploynic.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecision = "0" C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1} C:\Windows\SysWOW64\deploynic.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecisionTime = b0f39a564c9cda01 C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\deploynic.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecisionReason = "1" C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecisionTime = 3003fc1a4c9cda01 C:\Windows\SysWOW64\deploynic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\deploynic.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\deploynic.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\deploynic.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\deploynic.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecision = "0" C:\Windows\SysWOW64\deploynic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecisionTime = 3003fc1a4c9cda01 C:\Windows\SysWOW64\deploynic.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\deploynic.exe N/A
N/A N/A C:\Windows\SysWOW64\deploynic.exe N/A
N/A N/A C:\Windows\SysWOW64\deploynic.exe N/A
N/A N/A C:\Windows\SysWOW64\deploynic.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe

--f31e7790

C:\Windows\SysWOW64\deploynic.exe

"C:\Windows\SysWOW64\deploynic.exe"

C:\Windows\SysWOW64\deploynic.exe

--6f313bd7

Network

Country Destination Domain Proto
US 70.32.78.99:8080 tcp
US 70.32.78.99:8080 tcp
PL 213.189.36.51:8080 tcp
PL 213.189.36.51:8080 tcp
US 107.170.27.84:443 tcp
US 107.170.27.84:443 tcp
GB 85.234.143.94:8080 tcp

Files

memory/1028-0-0x00000000005D0000-0x00000000005E7000-memory.dmp

memory/1028-5-0x0000000000350000-0x0000000000361000-memory.dmp

memory/2968-6-0x0000000000260000-0x0000000000277000-memory.dmp

memory/2652-11-0x0000000000440000-0x0000000000457000-memory.dmp

memory/2480-16-0x0000000000E70000-0x0000000000E87000-memory.dmp

memory/2968-21-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 04:48

Reported

2024-05-02 04:51

Platform

win10v2004-20240419-en

Max time kernel

138s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\xclfill.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\xclfill.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\xclfill.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\xclfill.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\xclfill.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\xclfill.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\xclfill.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0d8bc73982dbf82384e5fe24320a3656_JaffaCakes118.exe

--f31e7790

C:\Windows\SysWOW64\xclfill.exe

"C:\Windows\SysWOW64\xclfill.exe"

C:\Windows\SysWOW64\xclfill.exe

--a9e229fa

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 70.32.78.99:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
PL 213.189.36.51:8080 tcp
US 107.170.27.84:443 tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
GB 85.234.143.94:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BO 200.58.83.179:80 tcp
NL 51.15.8.192:8080 51.15.8.192 tcp
US 8.8.8.8:53 192.8.15.51.in-addr.arpa udp
SE 185.86.148.222:8080 tcp

Files

memory/1412-0-0x0000000000530000-0x0000000000547000-memory.dmp

memory/1412-5-0x00000000004C0000-0x00000000004D1000-memory.dmp

memory/448-6-0x0000000002060000-0x0000000002077000-memory.dmp

memory/4160-12-0x0000000000D60000-0x0000000000D77000-memory.dmp

memory/448-17-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\cfc8b1873e77dcd7e93893b04097b5e1_341ede6d-ed6e-4a9a-b21e-61c68ffcc45e

MD5 b1ecb35538fba014759f943d49f97d73
SHA1 2e4f3974e4ca15b1f897c8d5cce43c256590b1e6
SHA256 431638e80278251a13b7a0c468b0c62bd10de1f58a8509a51291fa40d5c2acff
SHA512 25ee7009d5a57c0a75513955e39f2833bc7db9be700ba13f939ba89a9b23a13892987c3606d0c4238e426f13a3ee4f895e9723f49d8ab4c92a34864b2ac8bb85