Malware Analysis Report

2024-10-18 21:18

Sample ID 240516-h1ld8shh38
Target 49f287b44ef0865d1133fb0008583d93_JaffaCakes118
SHA256 71cb9f0032b91350022ed0bc4e8fe284e1611e0693075c2ed3127749c1484a90
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71cb9f0032b91350022ed0bc4e8fe284e1611e0693075c2ed3127749c1484a90

Threat Level: Known bad

The file 49f287b44ef0865d1133fb0008583d93_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 07:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 07:12

Reported

2024-05-16 07:14

Platform

win7-20240221-en

Max time kernel

133s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe"

Network

Country Destination Domain Proto
JP 116.91.240.96:80 tcp
JP 116.91.240.96:80 tcp
IN 167.71.227.113:8080 tcp
IN 167.71.227.113:8080 tcp
CO 190.85.46.52:7080 tcp
CO 190.85.46.52:7080 tcp
US 162.144.42.60:8080 tcp
US 162.144.42.60:8080 tcp

Files

memory/1152-4-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1152-0-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1152-7-0x0000000000230000-0x000000000023F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 07:12

Reported

2024-05-16 07:14

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\avrt\mfc42u.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\avrt\mfc42u.exe C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\avrt\mfc42u.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49f287b44ef0865d1133fb0008583d93_JaffaCakes118.exe"

C:\Windows\SysWOW64\avrt\mfc42u.exe

"C:\Windows\SysWOW64\avrt\mfc42u.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1404,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
JP 116.91.240.96:80 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IN 167.71.227.113:8080 tcp
CO 190.85.46.52:7080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 162.144.42.60:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
PK 202.166.170.43:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
FI 95.216.205.155:8080 tcp
JP 120.51.34.254:80 tcp

Files

memory/1012-0-0x0000000000640000-0x000000000064F000-memory.dmp

memory/1012-1-0x0000000000660000-0x0000000000672000-memory.dmp

memory/1012-5-0x0000000000680000-0x0000000000690000-memory.dmp

C:\Windows\SysWOW64\avrt\mfc42u.exe

MD5 49f287b44ef0865d1133fb0008583d93
SHA1 eeaeade5cf94e043349f4ee3584b67a76cb44c30
SHA256 71cb9f0032b91350022ed0bc4e8fe284e1611e0693075c2ed3127749c1484a90
SHA512 36749d8280ffa932b78a4e103d62ff3492a13968a3b6998a1303b2173069897eed9bb63c5a16c6d95f00ba77dc34814fd1a3cfae819cebb73bdec254d3c0bc6a

memory/1012-9-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/5036-10-0x00000000020D0000-0x00000000020E2000-memory.dmp

memory/5036-14-0x0000000002200000-0x0000000002210000-memory.dmp