Malware Analysis Report

2024-09-22 23:27

Sample ID 240615-1c85hayhjl
Target b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118
SHA256 32063cf418f54fcfc9e3ca5f36d37dc19e767f82623a61ec060b042f27ed0178
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32063cf418f54fcfc9e3ca5f36d37dc19e767f82623a61ec060b042f27ed0178

Threat Level: Known bad

The file b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 21:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 21:31

Reported

2024-06-15 21:33

Platform

win7-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mfcsubs\normaliz.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mfcsubs\normaliz.exe C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\mfcsubs\normaliz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe"

C:\Windows\SysWOW64\mfcsubs\normaliz.exe

"C:\Windows\SysWOW64\mfcsubs\normaliz.exe"

Network

Country Destination Domain Proto
SA 94.49.254.194:80 tcp
SA 94.49.254.194:80 tcp
CH 212.51.142.238:8080 tcp
CH 212.51.142.238:8080 tcp
IT 91.231.166.124:8080 tcp
IT 91.231.166.124:8080 tcp
US 162.241.92.219:8080 tcp
US 162.241.92.219:8080 tcp
LT 79.98.24.39:8080 tcp
LT 79.98.24.39:8080 tcp
IT 109.117.53.230:443 tcp
IT 109.117.53.230:443 tcp
TR 78.189.165.52:8080 tcp
TR 78.189.165.52:8080 tcp

Files

memory/2032-0-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2032-5-0x0000000000400000-0x00000000004C5000-memory.dmp

C:\Windows\SysWOW64\mfcsubs\normaliz.exe

MD5 b02ff5582a93db07cc9891ebba43c42c
SHA1 5de11ef4feebdff42688396c4f09611d2b28ae1e
SHA256 32063cf418f54fcfc9e3ca5f36d37dc19e767f82623a61ec060b042f27ed0178
SHA512 10f1436ad5d58c1a2e3247f9ffec6b77b2d7723fa19309442014cd6599a37408bbc23c0f9349eabdcf497dbe03b10ad6f5efb87dd40d518d3694c39f6b4126a8

memory/2464-6-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/2464-10-0x00000000005C0000-0x00000000005CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 21:31

Reported

2024-06-15 21:34

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b02ff5582a93db07cc9891ebba43c42c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
SA 94.49.254.194:80 tcp
CH 212.51.142.238:8080 tcp
IT 91.231.166.124:8080 tcp
US 52.111.227.14:443 tcp
US 162.241.92.219:8080 tcp
LT 79.98.24.39:8080 tcp
IT 109.117.53.230:443 tcp

Files

memory/1948-0-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

memory/1948-4-0x0000000002CC0000-0x0000000002CC9000-memory.dmp

memory/1948-5-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

memory/1948-6-0x0000000002BC0000-0x0000000002CB1000-memory.dmp