Malware Analysis Report

2024-09-22 23:41

Sample ID 240617-e3lk8sthnc
Target b6befef4fe35518e6ec139eb90b549db_JaffaCakes118
SHA256 e4c250d5484cb84c9bb0932f55491edee4904997f065e7e492ae823ed5e94cfd
Tags
emotet epoch2 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4c250d5484cb84c9bb0932f55491edee4904997f065e7e492ae823ed5e94cfd

Threat Level: Known bad

The file b6befef4fe35518e6ec139eb90b549db_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch2 banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 04:27

Reported

2024-06-17 04:30

Platform

win7-20240221-en

Max time kernel

128s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\sitkalua.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\fe-a3-50-a3-bf-31 C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = c0d101f26ec0da01 C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = a00233ce6ec0da01 C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDetectedUrl C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87} C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionReason = "1" C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecision = "0" C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31 C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = c0d101f26ec0da01 C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecision = "0" C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\sitkalua.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionReason = "1" C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = a00233ce6ec0da01 C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\sitkalua.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\sitkalua.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe

--c01563a7

C:\Windows\SysWOW64\sitkalua.exe

"C:\Windows\SysWOW64\sitkalua.exe"

C:\Windows\SysWOW64\sitkalua.exe

--f7bddfb6

Network

Country Destination Domain Proto
DE 185.234.72.64:443 tcp
DE 185.234.72.64:443 tcp
GB 51.68.220.244:8080 tcp
GB 51.68.220.244:8080 tcp
US 206.81.10.215:8080 tcp
US 206.81.10.215:8080 tcp
GB 206.189.112.148:8080 206.189.112.148 tcp
TR 85.104.59.244:20 tcp
TR 85.104.59.244:20 tcp
CZ 37.157.194.134:443 37.157.194.134 tcp
GB 31.172.240.91:8080 tcp
GB 31.172.240.91:8080 tcp

Files

memory/2880-0-0x00000000003C0000-0x00000000003D7000-memory.dmp

memory/2880-5-0x00000000003A0000-0x00000000003B1000-memory.dmp

memory/2344-6-0x0000000000240000-0x0000000000257000-memory.dmp

memory/2052-11-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/2344-16-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 04:27

Reported

2024-06-17 04:30

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\texasrun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\texasrun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\texasrun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\texasrun.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\texasrun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\texasrun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\texasrun.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b6befef4fe35518e6ec139eb90b549db_JaffaCakes118.exe

--c01563a7

C:\Windows\SysWOW64\texasrun.exe

"C:\Windows\SysWOW64\texasrun.exe"

C:\Windows\SysWOW64\texasrun.exe

--e010c2e4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 185.234.72.64:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 51.68.220.244:8080 tcp
US 206.81.10.215:8080 tcp
GB 206.189.112.148:8080 206.189.112.148 tcp
US 8.8.8.8:53 148.112.189.206.in-addr.arpa udp
TR 85.104.59.244:20 tcp
CZ 37.157.194.134:443 37.157.194.134 tcp
US 8.8.8.8:53 134.194.157.37.in-addr.arpa udp
GB 31.172.240.91:8080 tcp
FR 87.230.19.21:8080 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
N/A 178.209.71.63:8080 tcp

Files

memory/3936-0-0x0000000000680000-0x0000000000697000-memory.dmp

memory/3936-5-0x0000000000640000-0x0000000000651000-memory.dmp

memory/4496-6-0x0000000002150000-0x0000000002167000-memory.dmp

memory/3468-12-0x0000000000F70000-0x0000000000F87000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62d89b1cc749ada74ac974797cd2bf89_2397ee06-28fe-4eaa-8777-f7014368c353

MD5 461f3321980d3c590039fbc2d18074c9
SHA1 3f0db67a2c9131778735b2f56ad6b7b18041e9fc
SHA256 af63fb45d1526520c70f72c304b3bfeaaaae9597a296289e88dda75638831978
SHA512 c153f222f76e5003136ff3835e1be18746ce10de1adc4c406880cab80f03b13d15a24b61e9409f2ce73814100e9043c1643d0fc655bb6a37312c583ca21ec277

memory/4496-18-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1448-19-0x0000000000E50000-0x0000000000E67000-memory.dmp