Malware Analysis Report

2024-09-22 23:42

Sample ID 240606-gfaassaf92
Target 9a13774ec532cdb556bd21f426521483_JaffaCakes118
SHA256 06da52a937ec4ceea60bc3358b82f80093d84ac0a54fe38c403947855e2d3510
Tags
emotet banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06da52a937ec4ceea60bc3358b82f80093d84ac0a54fe38c403947855e2d3510

Threat Level: Known bad

The file 9a13774ec532cdb556bd21f426521483_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet banker trojan

Emotet

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-06 05:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 05:44

Reported

2024-06-06 06:25

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe"

C:\Windows\SysWOW64\searchasystem.exe

"C:\Windows\SysWOW64\searchasystem.exe"

C:\Windows\SysWOW64\searchasystem.exe

"C:\Windows\SysWOW64\searchasystem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.196.178:443 www.bing.com tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 178.196.17.2.in-addr.arpa udp
CL 190.215.241.14:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
ZA 197.86.157.158:7080 tcp
AR 190.2.50.193:443 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
AR 168.121.59.107:7080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
MX 187.148.174.31:7080 tcp
GB 78.141.2.164:443 78.141.2.164 tcp
US 8.8.8.8:53 164.2.141.78.in-addr.arpa udp
US 70.166.122.236:80 tcp

Files

memory/3396-0-0x00000000008C0000-0x00000000008D7000-memory.dmp

memory/3396-1-0x00000000008E0000-0x00000000008F7000-memory.dmp

memory/3396-5-0x00000000008E0000-0x00000000008F7000-memory.dmp

memory/3396-6-0x0000000000900000-0x0000000000910000-memory.dmp

memory/4328-7-0x0000000002070000-0x0000000002087000-memory.dmp

memory/4328-8-0x0000000002090000-0x00000000020A7000-memory.dmp

memory/4328-12-0x0000000002090000-0x00000000020A7000-memory.dmp

memory/4328-13-0x00000000020B0000-0x00000000020C0000-memory.dmp

memory/3396-14-0x00000000008C0000-0x00000000008D7000-memory.dmp

memory/3200-15-0x0000000000A80000-0x0000000000A97000-memory.dmp

memory/3200-19-0x0000000000A80000-0x0000000000A97000-memory.dmp

memory/3200-21-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/3200-20-0x0000000000A60000-0x0000000000A77000-memory.dmp

memory/4352-22-0x00000000005F0000-0x0000000000607000-memory.dmp

memory/4352-26-0x00000000005F0000-0x0000000000607000-memory.dmp

memory/4352-28-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/4352-27-0x00000000005B0000-0x00000000005C7000-memory.dmp

memory/4328-29-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4328-30-0x0000000002070000-0x0000000002087000-memory.dmp

memory/4352-31-0x00000000005B0000-0x00000000005C7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 05:44

Reported

2024-06-06 06:25

Platform

win7-20240215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\dynamicloader.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\dynamicloader.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadDecisionReason = "1" C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDecisionTime = 80c98b02dab7da01 C:\Windows\SysWOW64\dynamicloader.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDetectedUrl C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadDecision = "0" C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDecision = "0" C:\Windows\SysWOW64\dynamicloader.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\dynamicloader.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4} C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadDecisionTime = 80c98b02dab7da01 C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\dynamicloader.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49 C:\Windows\SysWOW64\dynamicloader.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\ea-0e-c6-f9-27-49 C:\Windows\SysWOW64\dynamicloader.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDecisionReason = "1" C:\Windows\SysWOW64\dynamicloader.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9a13774ec532cdb556bd21f426521483_JaffaCakes118.exe"

C:\Windows\SysWOW64\dynamicloader.exe

"C:\Windows\SysWOW64\dynamicloader.exe"

C:\Windows\SysWOW64\dynamicloader.exe

"C:\Windows\SysWOW64\dynamicloader.exe"

Network

Country Destination Domain Proto
CL 190.215.241.14:8080 tcp
CL 190.215.241.14:8080 tcp
ZA 197.86.157.158:7080 tcp
ZA 197.86.157.158:7080 tcp
AR 190.2.50.193:443 tcp
AR 190.2.50.193:443 tcp
AR 168.121.59.107:7080 tcp

Files

memory/2952-14-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/764-13-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/764-12-0x00000000003C0000-0x00000000003D7000-memory.dmp

memory/764-11-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/764-8-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/2952-6-0x00000000003A0000-0x00000000003B0000-memory.dmp

memory/2952-5-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/2952-4-0x0000000000440000-0x0000000000457000-memory.dmp

memory/2952-0-0x0000000000440000-0x0000000000457000-memory.dmp

memory/2548-19-0x00000000005D0000-0x00000000005E7000-memory.dmp

memory/2548-15-0x00000000005D0000-0x00000000005E7000-memory.dmp

memory/2548-20-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/2548-21-0x00000000005F0000-0x0000000000600000-memory.dmp

memory/2624-26-0x0000000000260000-0x0000000000277000-memory.dmp

memory/2624-22-0x0000000000260000-0x0000000000277000-memory.dmp

memory/2624-28-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2624-27-0x0000000000240000-0x0000000000257000-memory.dmp

memory/764-29-0x0000000000400000-0x0000000000439000-memory.dmp

memory/764-30-0x00000000003C0000-0x00000000003D7000-memory.dmp

memory/2624-31-0x0000000000240000-0x0000000000257000-memory.dmp