Malware Analysis Report

2024-09-22 22:04

Sample ID 240615-qvblvasdmf
Target aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118
SHA256 fc762d1673347c40c10454641b6892dc07fea2e0a3564f5cdabcc8764335c5b5
Tags
emotet banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc762d1673347c40c10454641b6892dc07fea2e0a3564f5cdabcc8764335c5b5

Threat Level: Known bad

The file aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 13:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 13:34

Reported

2024-06-15 13:37

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"

C:\Windows\SysWOW64\ascvoice.exe

"C:\Windows\SysWOW64\ascvoice.exe"

C:\Windows\SysWOW64\ascvoice.exe

"C:\Windows\SysWOW64\ascvoice.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CA 192.226.247.73:7080 tcp
IN 202.134.191.142:443 tcp
CA 184.149.48.160:8443 tcp
CO 181.48.19.4:8080 tcp
PE 190.233.119.42:8090 tcp
MX 189.193.88.137:80 tcp
GB 51.52.210.93:80 tcp

Files

memory/5068-5-0x00000000026C0000-0x00000000026D6000-memory.dmp

memory/5068-1-0x00000000026C0000-0x00000000026D6000-memory.dmp

memory/224-7-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/224-15-0x00000000020C0000-0x00000000020D6000-memory.dmp

memory/224-14-0x0000000002100000-0x0000000002110000-memory.dmp

memory/5068-13-0x0000000000630000-0x0000000000640000-memory.dmp

memory/5068-12-0x00000000021E0000-0x00000000021F6000-memory.dmp

memory/224-11-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/5008-17-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/5008-21-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/5008-23-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

memory/5008-22-0x0000000000D80000-0x0000000000D96000-memory.dmp

memory/4036-29-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

memory/4036-25-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

memory/5008-30-0x0000000000D80000-0x0000000000D96000-memory.dmp

memory/224-31-0x0000000000400000-0x0000000000488000-memory.dmp

memory/224-32-0x00000000020C0000-0x00000000020D6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 13:34

Reported

2024-06-15 13:37

Platform

win7-20240611-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\tvoutcabinet.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\6e-f9-4c-0c-fa-10 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10\WpadDecisionReason = "1" C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD} C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadDecisionReason = "1" C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadDecisionTime = b09a8cd228bfda01 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10\WpadDecisionTime = b09a8cd228bfda01 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10\WpadDecision = "0" C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadDecision = "0" C:\Windows\SysWOW64\tvoutcabinet.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\tvoutcabinet.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"

C:\Windows\SysWOW64\tvoutcabinet.exe

"C:\Windows\SysWOW64\tvoutcabinet.exe"

C:\Windows\SysWOW64\tvoutcabinet.exe

"C:\Windows\SysWOW64\tvoutcabinet.exe"

Network

Country Destination Domain Proto
CA 192.226.247.73:7080 tcp
CA 192.226.247.73:7080 tcp
IN 202.134.191.142:443 tcp
IN 202.134.191.142:443 tcp
CA 184.149.48.160:8443 tcp
CA 184.149.48.160:8443 tcp

Files

memory/1756-5-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/1756-7-0x0000000000310000-0x0000000000320000-memory.dmp

memory/1756-6-0x0000000000220000-0x0000000000236000-memory.dmp

memory/1756-1-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2696-15-0x0000000000300000-0x0000000000310000-memory.dmp

memory/2696-14-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2696-13-0x0000000000620000-0x0000000000636000-memory.dmp

memory/2696-10-0x0000000000620000-0x0000000000636000-memory.dmp

memory/1756-16-0x0000000000220000-0x0000000000236000-memory.dmp

memory/2912-22-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2912-18-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2912-24-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2912-23-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/2772-26-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/2772-30-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/2912-31-0x00000000002D0000-0x00000000002E6000-memory.dmp

memory/2696-33-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2696-32-0x0000000000400000-0x0000000000488000-memory.dmp