Malware Analysis Report

2024-09-22 22:04

Sample ID 240615-t8np4sxelg
Target af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118
SHA256 6d28339809a4e1e8cf45ab998568f777c2ad101c75f94c72461e8592ef581b98
Tags
emotet banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d28339809a4e1e8cf45ab998568f777c2ad101c75f94c72461e8592ef581b98

Threat Level: Known bad

The file af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet banker trojan

Emotet

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 16:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 16:43

Reported

2024-06-15 16:46

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\quotashared.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\quotashared.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\quotashared.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\quotashared.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\quotashared.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\quotashared.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\quotashared.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"

C:\Windows\SysWOW64\quotashared.exe

"C:\Windows\SysWOW64\quotashared.exe"

C:\Windows\SysWOW64\quotashared.exe

"C:\Windows\SysWOW64\quotashared.exe"

Network

Country Destination Domain Proto
US 24.217.117.217:80 tcp
DE 62.159.33.122:20 tcp
FR 37.59.51.53:8080 tcp
US 216.105.170.139:4143 tcp
US 72.52.216.110:8080 tcp
ES 149.62.173.247:8080 tcp

Files

memory/3912-4-0x0000000000520000-0x000000000052D000-memory.dmp

memory/3912-0-0x0000000000520000-0x000000000052D000-memory.dmp

memory/3912-6-0x0000000000530000-0x0000000000540000-memory.dmp

memory/3912-5-0x0000000000510000-0x000000000051D000-memory.dmp

memory/3464-7-0x00000000005F0000-0x00000000005FD000-memory.dmp

memory/3464-11-0x00000000005F0000-0x00000000005FD000-memory.dmp

memory/3464-13-0x0000000000600000-0x0000000000610000-memory.dmp

memory/3464-12-0x00000000005E0000-0x00000000005ED000-memory.dmp

memory/3912-14-0x0000000000510000-0x000000000051D000-memory.dmp

memory/1824-15-0x00000000006B0000-0x00000000006BD000-memory.dmp

memory/1824-19-0x00000000006B0000-0x00000000006BD000-memory.dmp

memory/1824-21-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/1824-20-0x0000000000530000-0x000000000053D000-memory.dmp

memory/1664-28-0x0000000000600000-0x0000000000610000-memory.dmp

memory/1664-27-0x00000000004E0000-0x00000000004ED000-memory.dmp

memory/1824-29-0x0000000000530000-0x000000000053D000-memory.dmp

memory/3464-31-0x00000000005E0000-0x00000000005ED000-memory.dmp

memory/3464-30-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1664-32-0x00000000004E0000-0x00000000004ED000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 16:43

Reported

2024-06-15 16:46

Platform

win7-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\packxinput.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\packxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionReason = "1" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionTime = 20b9c33843bfda01 C:\Windows\SysWOW64\packxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\packxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\packxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecision = "0" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\packxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\packxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDetectedUrl C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionTime = 409a6f8b43bfda01 C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionTime = 409a6f8b43bfda01 C:\Windows\SysWOW64\packxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E} C:\Windows\SysWOW64\packxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\packxinput.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionTime = 20b9c33843bfda01 C:\Windows\SysWOW64\packxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d C:\Windows\SysWOW64\packxinput.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\1e-23-d1-8d-c2-2d C:\Windows\SysWOW64\packxinput.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecision = "0" C:\Windows\SysWOW64\packxinput.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionReason = "1" C:\Windows\SysWOW64\packxinput.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"

C:\Windows\SysWOW64\packxinput.exe

"C:\Windows\SysWOW64\packxinput.exe"

C:\Windows\SysWOW64\packxinput.exe

"C:\Windows\SysWOW64\packxinput.exe"

Network

Country Destination Domain Proto
US 24.217.117.217:80 tcp
US 24.217.117.217:80 tcp
DE 62.159.33.122:20 tcp
DE 62.159.33.122:20 tcp
FR 37.59.51.53:8080 tcp
FR 37.59.51.53:8080 tcp
US 216.105.170.139:4143 tcp

Files

memory/2388-4-0x0000000000260000-0x000000000026D000-memory.dmp

memory/2388-0-0x0000000000260000-0x000000000026D000-memory.dmp

memory/2388-6-0x0000000000270000-0x0000000000280000-memory.dmp

memory/2388-5-0x0000000000250000-0x000000000025D000-memory.dmp

memory/2612-11-0x0000000000270000-0x000000000027D000-memory.dmp

memory/2612-7-0x0000000000270000-0x000000000027D000-memory.dmp

memory/2612-13-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2612-12-0x0000000000260000-0x000000000026D000-memory.dmp

memory/2388-14-0x0000000000250000-0x000000000025D000-memory.dmp

memory/2672-15-0x0000000000250000-0x000000000025D000-memory.dmp

memory/2672-21-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2748-26-0x00000000003A0000-0x00000000003AD000-memory.dmp

memory/2748-22-0x00000000003A0000-0x00000000003AD000-memory.dmp

memory/2748-28-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/2748-27-0x0000000000390000-0x000000000039D000-memory.dmp

memory/2672-29-0x0000000000250000-0x000000000025D000-memory.dmp

memory/2612-31-0x0000000000260000-0x000000000026D000-memory.dmp

memory/2612-30-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2748-32-0x0000000000390000-0x000000000039D000-memory.dmp