Malware Analysis Report

2024-09-22 22:06

Sample ID 240614-rf9qrsxerk
Target aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118
SHA256 0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13

Threat Level: Known bad

The file aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:09

Reported

2024-06-14 14:11

Platform

win7-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe"

C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe

"C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe"

Network

Country Destination Domain Proto
US 107.5.122.110:80 tcp
US 107.5.122.110:80 tcp
US 199.101.86.6:443 tcp
US 199.101.86.6:443 tcp
US 45.55.219.163:443 tcp
US 45.55.219.163:443 tcp

Files

memory/1768-0-0x0000000000370000-0x000000000037C000-memory.dmp

memory/1768-4-0x0000000000350000-0x0000000000359000-memory.dmp

C:\Windows\SysWOW64\bcryptprimitives\NlsData004c.exe

MD5 aa196f01930b5dbfbe2e0e6bcc995d7f
SHA1 e7821509a71bd4cb7c415e5e9b99ea83ee79874d
SHA256 0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13
SHA512 0a270762710929ec6be3be5104213012ed7096e23244729fcbb1b71d0c86b7f490ff91b639f06ee3aabbb387c9c3fe7c00593df011e03b83cff7de6b9cff0ac8

memory/1768-6-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3060-11-0x0000000000260000-0x000000000026C000-memory.dmp

memory/3060-7-0x0000000000260000-0x000000000026C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:09

Reported

2024-06-14 14:11

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa196f01930b5dbfbe2e0e6bcc995d7f_JaffaCakes118.exe"

C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe

"C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 107.5.122.110:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 199.101.86.6:443 tcp
US 45.55.219.163:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
GB 62.30.7.67:443 tcp
US 8.8.8.8:53 203.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 185.94.252.104:443 tcp
SG 203.117.253.142:80 tcp

Files

memory/5568-0-0x00000000007D0000-0x00000000007DC000-memory.dmp

memory/5568-4-0x00000000007C0000-0x00000000007C9000-memory.dmp

C:\Windows\SysWOW64\wincredui\WinSyncProviders.exe

MD5 aa196f01930b5dbfbe2e0e6bcc995d7f
SHA1 e7821509a71bd4cb7c415e5e9b99ea83ee79874d
SHA256 0d5488caa8d8b88658eef8372132d7515ee48173c0e5a14fa0aa219b0bffda13
SHA512 0a270762710929ec6be3be5104213012ed7096e23244729fcbb1b71d0c86b7f490ff91b639f06ee3aabbb387c9c3fe7c00593df011e03b83cff7de6b9cff0ac8

memory/5568-6-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4928-7-0x0000000002300000-0x000000000230C000-memory.dmp

memory/4928-11-0x0000000002300000-0x000000000230C000-memory.dmp