Malware Analysis Report

2024-09-22 22:06

Sample ID 240614-p77z5svglp
Target a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118
SHA256 2865b1815412ce94c45c58bbd9f5aff193dad42a8e6fa125462eb7d2e5b9e07f
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2865b1815412ce94c45c58bbd9f5aff193dad42a8e6fa125462eb7d2e5b9e07f

Threat Level: Known bad

The file a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:59

Reported

2024-06-14 13:01

Platform

win7-20240508-en

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\funcnetsh.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadDecision = "0" C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\7a-ac-0b-2e-eb-57 C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57\WpadDecisionTime = 60f695be5abeda01 C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadDecisionTime = 60f695be5abeda01 C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadDecisionReason = "1" C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57 C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57\WpadDecision = "0" C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB} C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57\WpadDecisionReason = "1" C:\Windows\SysWOW64\funcnetsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\funcnetsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\funcnetsh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\funcnetsh.exe N/A
N/A N/A C:\Windows\SysWOW64\funcnetsh.exe N/A
N/A N/A C:\Windows\SysWOW64\funcnetsh.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe

--2b790769

C:\Windows\SysWOW64\funcnetsh.exe

"C:\Windows\SysWOW64\funcnetsh.exe"

C:\Windows\SysWOW64\funcnetsh.exe

--769bd024

Network

Country Destination Domain Proto
US 206.81.10.215:8080 tcp
US 206.81.10.215:8080 tcp
GB 206.189.112.148:8080 tcp
GB 206.189.112.148:8080 tcp
DE 165.227.156.155:443 tcp
DE 165.227.156.155:443 tcp

Files

memory/1700-0-0x0000000000230000-0x0000000000245000-memory.dmp

memory/1700-5-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1988-11-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1172-12-0x0000000000320000-0x0000000000335000-memory.dmp

memory/1172-17-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/1988-18-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2628-19-0x00000000003D0000-0x00000000003E5000-memory.dmp

memory/2628-24-0x00000000003B0000-0x00000000003C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:59

Reported

2024-06-14 13:01

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\printsattrib.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\printsattrib.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\printsattrib.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\printsattrib.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\printsattrib.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\printsattrib.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\printsattrib.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a9ccbcaa82d4c8bdf029f2e8517cf056_JaffaCakes118.exe

--2b790769

C:\Windows\SysWOW64\printsattrib.exe

"C:\Windows\SysWOW64\printsattrib.exe"

C:\Windows\SysWOW64\printsattrib.exe

--78280762

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 206.81.10.215:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
GB 206.189.112.148:8080 206.189.112.148 tcp
US 8.8.8.8:53 148.112.189.206.in-addr.arpa udp
DE 165.227.156.155:443 165.227.156.155 tcp
US 8.8.8.8:53 155.156.227.165.in-addr.arpa udp
US 50.116.86.205:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BE 31.12.67.62:7080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
VN 115.78.95.230:443 tcp
US 65.23.154.17:8080 tcp

Files

memory/1704-0-0x00000000021C0000-0x00000000021D5000-memory.dmp

memory/1704-5-0x0000000000500000-0x0000000000510000-memory.dmp

memory/1596-7-0x00000000005D0000-0x00000000005E5000-memory.dmp

memory/1596-11-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/3052-13-0x0000000000EE0000-0x0000000000EF5000-memory.dmp

memory/3052-18-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/1596-19-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8e05abec4953565fbbff9223ea233dd4_aa2c3450-affa-4182-91ec-fc04d80413bd

MD5 bc4c2c492b6cd188662f5b06953963c1
SHA1 71dfa59feb1cd9af80f5a60f4a8388f7fec5f749
SHA256 a34a910c8022bdefb1a25fbbe44713f03d8d89f7c771c4c0ac45241874818608
SHA512 137da4d0189e9e93f556cbffd28036e029d601351e742fca548a9f5e3233f746d4fcb08f62b2ca934ab29dea41620f7bc550ce51a6387303059bd66fa1c40405

memory/1580-22-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1580-26-0x00000000005D0000-0x00000000005E0000-memory.dmp