Malware Analysis Report

2024-10-18 21:17

Sample ID 240516-ntcreaaf6t
Target 4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118
SHA256 81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2

Threat Level: Known bad

The file 4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 11:40

Reported

2024-05-16 11:43

Platform

win7-20240220-en

Max time kernel

128s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
FR 82.239.200.118:80 tcp
FR 82.239.200.118:80 tcp
FR 185.81.158.15:8080 tcp
FR 185.81.158.15:8080 tcp
FR 51.255.15.193:7080 tcp
FR 51.255.15.193:7080 tcp
FR 85.25.207.108:8080 tcp
FR 85.25.207.108:8080 tcp

Files

memory/1684-0-0x0000000000340000-0x000000000034C000-memory.dmp

memory/1684-4-0x00000000002E0000-0x00000000002E9000-memory.dmp

memory/1684-5-0x0000000000340000-0x000000000034C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 11:40

Reported

2024-05-16 11:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ae1bafe6820163cb0d9cc073492950c_JaffaCakes118.exe"

C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe

"C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
FR 82.239.200.118:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FR 185.81.158.15:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FR 51.255.15.193:7080 tcp
FR 85.25.207.108:8080 tcp
US 107.161.30.122:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
VN 113.161.148.81:80 tcp
US 74.208.173.91:8080 tcp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/3320-0-0x00000000023E0000-0x00000000023EC000-memory.dmp

memory/3320-4-0x00000000023D0000-0x00000000023D9000-memory.dmp

C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core\msvcp140_1.exe

MD5 4ae1bafe6820163cb0d9cc073492950c
SHA1 e586d422164a8593bff505ad0b078dcae20183dc
SHA256 81f6d01e79b1f7913b1703a4d7d52319d469b04b84d392a29d3160ebdb2232d2
SHA512 c089e1f1d7828b6923e29fa0ed712bda7ea18a2439e12524b7fca78c2ab9113f060c3cc794ab46f0058bfc6661132129cecd964c2317418d512a03dfe13735ec

memory/3320-6-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1688-7-0x0000000000760000-0x000000000076C000-memory.dmp

memory/1688-11-0x0000000000760000-0x000000000076C000-memory.dmp