Malware Analysis Report

2024-10-18 21:19

Sample ID 240512-sg9b3aeg49
Target 3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118
SHA256 cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51

Threat Level: Known bad

The file 3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 15:06

Reported

2024-05-12 15:09

Platform

win7-20240508-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe

"C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe"

Network

Country Destination Domain Proto
US 71.72.196.159:80 tcp
US 71.72.196.159:80 tcp
US 134.209.36.254:8080 tcp
US 134.209.36.254:8080 tcp
NZ 120.138.30.150:8080 tcp
NZ 120.138.30.150:8080 tcp
FR 94.23.216.33:80 tcp
FR 94.23.216.33:80 tcp
IN 157.245.99.39:8080 tcp
IN 157.245.99.39:8080 tcp

Files

memory/1936-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/1936-7-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1936-0-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1936-9-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Windows\SysWOW64\ktmutil\api-ms-win-crt-locale-l1-1-0.exe

MD5 3abaa8d4ddb688291fd55c70c925a5ed
SHA1 5672075bc7cfa0e85a741674d51574ca577905e8
SHA256 cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51
SHA512 7ef83329ad4a1748fc27d286da24b332e2c9be65479906d1baae916de2ca3521be6518bdc45f69da707fbd26bb031d8945dbfbf84de2c35349d22dfab5861d27

memory/2576-14-0x0000000000260000-0x0000000000270000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 15:06

Reported

2024-05-12 15:09

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dssec\quartz.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dssec\quartz.exe C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3abaa8d4ddb688291fd55c70c925a5ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\dssec\quartz.exe

"C:\Windows\SysWOW64\dssec\quartz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 71.72.196.159:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 134.209.36.254:8080 tcp
NZ 120.138.30.150:8080 tcp
FR 94.23.216.33:80 tcp
IN 157.245.99.39:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
SG 137.59.187.107:8080 tcp
FR 94.23.237.171:443 tcp
TH 61.19.246.238:443 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/1904-0-0x00000000005C0000-0x00000000005D2000-memory.dmp

memory/1904-4-0x00000000005E0000-0x00000000005F0000-memory.dmp

memory/1904-7-0x00000000005B0000-0x00000000005BF000-memory.dmp

C:\Windows\SysWOW64\dssec\quartz.exe

MD5 3abaa8d4ddb688291fd55c70c925a5ed
SHA1 5672075bc7cfa0e85a741674d51574ca577905e8
SHA256 cca37083fe4cbcb71f83df2b52cc988ae6333aee86aa407ce902677b38dddd51
SHA512 7ef83329ad4a1748fc27d286da24b332e2c9be65479906d1baae916de2ca3521be6518bdc45f69da707fbd26bb031d8945dbfbf84de2c35349d22dfab5861d27

memory/1904-9-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2904-10-0x0000000002070000-0x0000000002082000-memory.dmp