Malware Analysis Report

2024-10-18 21:21

Sample ID 240602-jve6psgb63
Target 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118
SHA256 01d06594c1418a2f58d827174255e372848d80a1eb037b9ae733e4b21a918cd2
Tags
emotet banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01d06594c1418a2f58d827174255e372848d80a1eb037b9ae733e4b21a918cd2

Threat Level: Known bad

The file 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 07:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 07:59

Reported

2024-06-02 08:01

Platform

win7-20240508-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\mdmsgxinput.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011} C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionReason = "1" C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = e092c1c2c2b4da01 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = a04e4919c3b4da01 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = a04e4919c3b4da01 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\52-a4-6c-d2-f4-72 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecision = "0" C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionReason = "1" C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = e092c1c2c2b4da01 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecision = "0" C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72 C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDetectedUrl C:\Windows\SysWOW64\mdmsgxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\mdmsgxinput.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"

C:\Windows\SysWOW64\mdmsgxinput.exe

"C:\Windows\SysWOW64\mdmsgxinput.exe"

C:\Windows\SysWOW64\mdmsgxinput.exe

"C:\Windows\SysWOW64\mdmsgxinput.exe"

Network

Country Destination Domain Proto
US 72.172.196.22:7080 tcp
US 72.172.196.22:7080 tcp
US 98.163.53.175:443 tcp
US 98.163.53.175:443 tcp
MX 187.155.30.88:8080 tcp
MX 187.155.30.88:8080 tcp

Files

memory/1616-0-0x00000000001D0000-0x00000000001E7000-memory.dmp

memory/1616-1-0x00000000001F0000-0x0000000000207000-memory.dmp

memory/1616-5-0x00000000001F0000-0x0000000000207000-memory.dmp

memory/1616-6-0x0000000000180000-0x0000000000190000-memory.dmp

memory/2888-7-0x0000000000150000-0x0000000000167000-memory.dmp

memory/2888-12-0x0000000000170000-0x0000000000187000-memory.dmp

memory/2888-13-0x00000000000E0000-0x00000000000F0000-memory.dmp

memory/2888-8-0x0000000000170000-0x0000000000187000-memory.dmp

memory/1616-14-0x00000000001D0000-0x00000000001E7000-memory.dmp

memory/2644-21-0x0000000000120000-0x0000000000130000-memory.dmp

memory/2644-20-0x0000000000100000-0x0000000000117000-memory.dmp

memory/2644-19-0x0000000000170000-0x0000000000187000-memory.dmp

memory/2644-15-0x0000000000170000-0x0000000000187000-memory.dmp

memory/2540-28-0x0000000000140000-0x0000000000150000-memory.dmp

memory/2540-27-0x0000000000100000-0x0000000000117000-memory.dmp

memory/2540-26-0x0000000000120000-0x0000000000137000-memory.dmp

memory/2540-22-0x0000000000120000-0x0000000000137000-memory.dmp

memory/2644-29-0x0000000000100000-0x0000000000117000-memory.dmp

memory/2888-31-0x0000000000150000-0x0000000000167000-memory.dmp

memory/2888-30-0x0000000000A40000-0x0000000000A89000-memory.dmp

memory/2540-32-0x0000000000100000-0x0000000000117000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 07:59

Reported

2024-06-02 08:01

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"

C:\Windows\SysWOW64\exampletvout.exe

"C:\Windows\SysWOW64\exampletvout.exe"

C:\Windows\SysWOW64\exampletvout.exe

"C:\Windows\SysWOW64\exampletvout.exe"

Network

Country Destination Domain Proto
US 72.172.196.22:7080 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 98.163.53.175:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
MX 187.155.30.88:8080 tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 75.71.154.27:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 70.183.177.22:80 tcp
SE 213.112.99.246:7080 tcp

Files

memory/4700-0-0x0000000002980000-0x0000000002997000-memory.dmp

memory/4700-5-0x00000000029D0000-0x00000000029E7000-memory.dmp

memory/4700-1-0x00000000029D0000-0x00000000029E7000-memory.dmp

memory/4700-6-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2464-11-0x0000000000870000-0x0000000000887000-memory.dmp

memory/2464-13-0x0000000000990000-0x00000000009A0000-memory.dmp

memory/4700-14-0x0000000002980000-0x0000000002997000-memory.dmp

memory/2464-12-0x0000000000830000-0x0000000000847000-memory.dmp

memory/2464-8-0x0000000000870000-0x0000000000887000-memory.dmp

memory/3456-15-0x0000000001350000-0x0000000001367000-memory.dmp

memory/3456-20-0x00000000013F0000-0x0000000001407000-memory.dmp

memory/3456-21-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3456-16-0x00000000013F0000-0x0000000001407000-memory.dmp

memory/4192-22-0x0000000000A70000-0x0000000000A87000-memory.dmp

memory/4192-23-0x0000000000BC0000-0x0000000000BD7000-memory.dmp

memory/4192-27-0x0000000000BC0000-0x0000000000BD7000-memory.dmp

memory/4192-28-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

memory/3456-29-0x0000000001350000-0x0000000001367000-memory.dmp

memory/2464-31-0x0000000000830000-0x0000000000847000-memory.dmp

memory/2464-30-0x0000000000470000-0x00000000004B9000-memory.dmp

memory/4192-32-0x0000000000A70000-0x0000000000A87000-memory.dmp