Malware Analysis Report

2024-09-22 23:41

Sample ID 240615-k22tqaycnq
Target adada50f3e0c587bd391c72863f4d74d_JaffaCakes118
SHA256 bf4ed5d5b4a2dfe5b2857cf5e36d508cd6cadc0c78e9a8ba27d10b59049c2397
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf4ed5d5b4a2dfe5b2857cf5e36d508cd6cadc0c78e9a8ba27d10b59049c2397

Threat Level: Known bad

The file adada50f3e0c587bd391c72863f4d74d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 09:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 09:06

Reported

2024-06-15 09:09

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 71.72.196.159:80 tcp
US 71.72.196.159:80 tcp
US 134.209.36.254:8080 tcp
US 134.209.36.254:8080 tcp
NZ 120.138.30.150:8080 tcp
NZ 120.138.30.150:8080 tcp

Files

memory/2204-7-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2204-4-0x0000000000240000-0x0000000000250000-memory.dmp

memory/2204-0-0x0000000000260000-0x0000000000272000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 09:06

Reported

2024-06-15 09:09

Platform

win10v2004-20240611-en

Max time kernel

126s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NtlmShared\fwpolicyiomgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\NtlmShared\fwpolicyiomgr.exe C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\adada50f3e0c587bd391c72863f4d74d_JaffaCakes118.exe"

C:\Windows\SysWOW64\NtlmShared\fwpolicyiomgr.exe

"C:\Windows\SysWOW64\NtlmShared\fwpolicyiomgr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 71.72.196.159:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 134.209.36.254:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NZ 120.138.30.150:8080 tcp
FR 94.23.216.33:80 tcp
IN 157.245.99.39:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
SG 137.59.187.107:8080 tcp
FR 94.23.237.171:443 tcp

Files

memory/2076-4-0x0000000002080000-0x0000000002090000-memory.dmp

memory/2076-0-0x0000000002060000-0x0000000002072000-memory.dmp

memory/2076-7-0x00000000006B0000-0x00000000006BF000-memory.dmp

C:\Windows\SysWOW64\NtlmShared\fwpolicyiomgr.exe

MD5 adada50f3e0c587bd391c72863f4d74d
SHA1 3882a4cf9a6ed96f083455c14fe0916a26107073
SHA256 bf4ed5d5b4a2dfe5b2857cf5e36d508cd6cadc0c78e9a8ba27d10b59049c2397
SHA512 34d0e2ae44e2b5dd10a7410ba0a907cdc83a531436f075eedbc24612a88f4d5f36a63bd24ccf3342ff323cfc603ea5c3bb77a7e3e70a94cb3b74c58ac113eea6

memory/2076-9-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2940-10-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2940-14-0x0000000001F20000-0x0000000001F30000-memory.dmp