Malware Analysis Report

2024-09-22 22:13

Sample ID 240616-rk34saweme
Target b3f02d5960f516d9017eafe55af1facb_JaffaCakes118
SHA256 9a4ba633080b1b9e4e13cb04b693c3c66e61459cdd5b6d29613e68436ce8e52d
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a4ba633080b1b9e4e13cb04b693c3c66e61459cdd5b6d29613e68436ce8e52d

Threat Level: Known bad

The file b3f02d5960f516d9017eafe55af1facb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:16

Reported

2024-06-16 14:18

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe"

Network

Country Destination Domain Proto
AU 202.22.141.45:80 tcp
AU 202.22.141.45:80 tcp
FR 37.187.161.206:8080 tcp
FR 37.187.161.206:8080 tcp
TH 202.29.239.162:443 tcp
TH 202.29.239.162:443 tcp
RU 80.87.201.221:7080 tcp

Files

memory/2408-4-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2408-7-0x00000000001D0000-0x00000000001DF000-memory.dmp

memory/2408-0-0x00000000004B0000-0x00000000004C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:16

Reported

2024-06-16 14:18

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\printui\htui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\printui\htui.exe C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\printui\htui.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3f02d5960f516d9017eafe55af1facb_JaffaCakes118.exe"

C:\Windows\SysWOW64\printui\htui.exe

"C:\Windows\SysWOW64\printui\htui.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
AU 202.22.141.45:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
FR 37.187.161.206:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
TH 202.29.239.162:443 tcp
RU 80.87.201.221:7080 tcp
RO 82.76.111.249:443 tcp
US 216.47.196.104:80 tcp

Files

memory/4844-4-0x00000000021C0000-0x00000000021D0000-memory.dmp

memory/4844-1-0x00000000021A0000-0x00000000021B2000-memory.dmp

memory/4844-7-0x0000000002190000-0x000000000219F000-memory.dmp

C:\Windows\SysWOW64\printui\htui.exe

MD5 b3f02d5960f516d9017eafe55af1facb
SHA1 c29639a4504ec35a1e32e4a9101ad280d0f06838
SHA256 9a4ba633080b1b9e4e13cb04b693c3c66e61459cdd5b6d29613e68436ce8e52d
SHA512 f6130438bea54523495a0a0ddef57e8802cdec74c0d5a6d3697529fd081039814ccbf93cb14d420c99e98f1bb89082bf2ea3cda47051183ce4c503550973ae1d

memory/4844-9-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/3512-14-0x0000000002210000-0x0000000002220000-memory.dmp

memory/3512-10-0x00000000021F0000-0x0000000002202000-memory.dmp