Malware Analysis Report

2024-09-22 22:07

Sample ID 240614-v3hscatell
Target aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118
SHA256 b23028444d54d452f96f4df6cbb647c58a4d352fdd4558dd0d3debd215902327
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b23028444d54d452f96f4df6cbb647c58a4d352fdd4558dd0d3debd215902327

Threat Level: Known bad

The file aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 17:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 17:30

Reported

2024-06-14 17:33

Platform

win7-20240611-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rowsetbang.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadNetworkName = "Network 2" C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\0e-e5-18-01-80-9d C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadDecisionReason = "1" C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d\WpadDecisionTime = d04318a980beda01 C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B} C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadDecisionTime = d04318a980beda01 C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F67AD3E-A8F1-4865-BD77-5A6F2FC8DA8B}\WpadDecision = "0" C:\Windows\SysWOW64\rowsetbang.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d\WpadDecisionReason = "1" C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-e5-18-01-80-9d\WpadDecision = "0" C:\Windows\SysWOW64\rowsetbang.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rowsetbang.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rowsetbang.exe N/A
N/A N/A C:\Windows\SysWOW64\rowsetbang.exe N/A
N/A N/A C:\Windows\SysWOW64\rowsetbang.exe N/A
N/A N/A C:\Windows\SysWOW64\rowsetbang.exe N/A
N/A N/A C:\Windows\SysWOW64\rowsetbang.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe

--7c8c5eef

C:\Windows\SysWOW64\rowsetbang.exe

"C:\Windows\SysWOW64\rowsetbang.exe"

C:\Windows\SysWOW64\rowsetbang.exe

--ab70b012

Network

Country Destination Domain Proto
MX 189.159.113.125:8080 tcp
MX 189.159.113.125:8080 tcp
AR 200.51.94.251:80 200.51.94.251 tcp
US 45.33.54.74:443 45.33.54.74 tcp
US 209.141.41.136:8080 tcp
US 209.141.41.136:8080 tcp
DE 185.94.252.13:443 tcp

Files

memory/2016-0-0x0000000000390000-0x00000000003A4000-memory.dmp

memory/2016-5-0x0000000000380000-0x000000000038F000-memory.dmp

memory/2932-6-0x00000000003D0000-0x00000000003E4000-memory.dmp

memory/2388-11-0x00000000008D0000-0x00000000008E4000-memory.dmp

memory/2932-16-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2292-17-0x0000000000AD0000-0x0000000000AE4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 17:30

Reported

2024-06-14 17:33

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\catjoin.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\catjoin.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\catjoin.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\catjoin.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\catjoin.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\catjoin.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\catjoin.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aaeb79c60cc3358fb04545db76dac8cb_JaffaCakes118.exe

--7c8c5eef

C:\Windows\SysWOW64\catjoin.exe

"C:\Windows\SysWOW64\catjoin.exe"

C:\Windows\SysWOW64\catjoin.exe

--4c15b236

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.243:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BE 88.221.83.243:443 www.bing.com tcp
US 8.8.8.8:53 243.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
MX 189.159.113.125:8080 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
AR 200.51.94.251:80 200.51.94.251 tcp
US 8.8.8.8:53 251.94.51.200.in-addr.arpa udp
US 45.33.54.74:443 45.33.54.74 tcp
US 8.8.8.8:53 74.54.33.45.in-addr.arpa udp
US 209.141.41.136:8080 tcp
DE 185.94.252.13:443 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
PA 186.75.241.230:80 tcp
AR 201.251.43.69:8080 tcp

Files

memory/4412-0-0x00000000024D0000-0x00000000024E4000-memory.dmp

memory/4412-5-0x00000000024C0000-0x00000000024CF000-memory.dmp

memory/2500-6-0x0000000002280000-0x0000000002294000-memory.dmp

memory/3044-12-0x00000000015B0000-0x00000000015C4000-memory.dmp

memory/2500-17-0x0000000000400000-0x00000000004A6000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\503dd1842ca2542783c874edc85e93f5_50b25195-d6c8-43bb-b2ca-a8bd616967ef

MD5 c59d3dd5371f26cc653932d5e9dbbdfc
SHA1 2af1e109df080e1f1965702c5bc04be89fc5a108
SHA256 020de7906bd5c29a9a4345890667b582ae71ac0a0d36510c80a1931f7ceec11f
SHA512 b3781e13a5292a03d1cd4151554c2200cfb90f46696e498bb11ec3842fa9ef8d9d348e780fb66152b69e8c149fa803ce440a229be0c57313d623d04529041f17

memory/3388-19-0x0000000000E30000-0x0000000000E44000-memory.dmp