Malware Analysis Report

2025-01-03 05:49

Sample ID 240504-qlbkgshh87
Target 12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118
SHA256 16947a6d048e41da2f818f75f958e61c77e7e15f612e2091a086b6298914ed8c
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16947a6d048e41da2f818f75f958e61c77e7e15f612e2091a086b6298914ed8c

Threat Level: Known bad

The file 12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 13:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 13:20

Reported

2024-05-04 13:23

Platform

win7-20240221-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\browserbinder.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadDecisionReason = "1" C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\22-6b-c5-28-47-73 C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73\WpadDecisionTime = b08c1aea259eda01 C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73\WpadDecision = "0" C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadDecision = "0" C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C} C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadDecisionTime = b08c1aea259eda01 C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73\WpadDecisionReason = "1" C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\browserbinder.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\browserbinder.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73 C:\Windows\SysWOW64\browserbinder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\browserbinder.exe N/A
N/A N/A C:\Windows\SysWOW64\browserbinder.exe N/A
N/A N/A C:\Windows\SysWOW64\browserbinder.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe

--31b4a163

C:\Windows\SysWOW64\browserbinder.exe

"C:\Windows\SysWOW64\browserbinder.exe"

C:\Windows\SysWOW64\browserbinder.exe

--7b3af6e8

Network

Country Destination Domain Proto
AR 201.213.32.59:80 tcp
AR 201.213.32.59:80 tcp
MX 187.155.95.26:50000 tcp
MX 187.155.95.26:50000 tcp
LU 46.29.183.211:8080 tcp
LU 46.29.183.211:8080 tcp

Files

memory/2884-0-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2884-5-0x00000000002B0000-0x00000000002C0000-memory.dmp

memory/2904-6-0x0000000000240000-0x0000000000256000-memory.dmp

memory/2584-11-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2904-16-0x0000000000400000-0x00000000004A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 13:20

Reported

2024-05-04 13:23

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\tlbjoin.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\tlbjoin.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\tlbjoin.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\tlbjoin.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\tlbjoin.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\tlbjoin.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\tlbjoin.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\12e98da1dbc3bc92cab664c2e149f400_JaffaCakes118.exe

--31b4a163

C:\Windows\SysWOW64\tlbjoin.exe

"C:\Windows\SysWOW64\tlbjoin.exe"

C:\Windows\SysWOW64\tlbjoin.exe

--e326546a

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 227.143.123.92.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
AR 201.213.32.59:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
MX 187.155.95.26:50000 tcp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
LU 46.29.183.211:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 23.229.115.217:8080 tcp
DE 81.169.140.14:443 tcp

Files

memory/556-0-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/556-5-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/3024-6-0x0000000002180000-0x0000000002196000-memory.dmp

memory/2992-12-0x00000000015A0000-0x00000000015B6000-memory.dmp

memory/3024-17-0x0000000000400000-0x00000000004A7000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\1d9711abc4c7991af082606a1519efaa_f546c72a-ef7d-4387-9afa-727536aab388

MD5 83ce154a5573bcc4cfdf62b355bb54c0
SHA1 c09f190e200fb795442b8c441a793c448a0eabf1
SHA256 64f277c830cbe99b3fdd9c0a12ef4a25e9194f884bc767c12cb29b6c8f708181
SHA512 b51ae6a0a16506643061caa16d039db6f48ca481abb42c3d70c9274eeb698c3464c7818e6f493d2300a092a3d4964dc01558838d65a2457b37f869f502afdf3f

memory/3740-19-0x0000000000E20000-0x0000000000E36000-memory.dmp