Malware Analysis Report

2024-09-22 22:20

Sample ID 240617-hyylsatdjp
Target b750b69afc2060ebe72189e35206ee61_JaffaCakes118
SHA256 b6f2457e50dc2fdd2cf809ebf63577c7277e0e26bf8e87188572c01d96d48f97
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6f2457e50dc2fdd2cf809ebf63577c7277e0e26bf8e87188572c01d96d48f97

Threat Level: Known bad

The file b750b69afc2060ebe72189e35206ee61_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:09

Reported

2024-06-17 07:11

Platform

win7-20240611-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe"

C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe

"C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe"

Network

Country Destination Domain Proto
US 50.121.220.50:80 tcp
US 50.121.220.50:80 tcp
PL 51.75.33.122:80 tcp
PL 51.75.33.122:80 tcp
FR 54.37.42.48:8080 tcp
FR 54.37.42.48:8080 tcp
FR 91.121.54.71:8080 tcp

Files

memory/1916-5-0x0000000000350000-0x0000000000359000-memory.dmp

memory/1916-4-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1916-0-0x0000000000360000-0x000000000036C000-memory.dmp

C:\Windows\SysWOW64\pnpsetup\AdapterTroubleshooter.exe

MD5 b750b69afc2060ebe72189e35206ee61
SHA1 1f355fc7602c06d7d6993405dc390e14e694bbe5
SHA256 b6f2457e50dc2fdd2cf809ebf63577c7277e0e26bf8e87188572c01d96d48f97
SHA512 12d80020d91bc67c40edf05b201913a509f98fd1905ba8ac8b05ebeb8c0ac25181d68b5840bc119f2bee1b13d4f0c3fe761d21c84175f8a75bd43926e32809cf

memory/1916-7-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2320-8-0x0000000000270000-0x000000000027C000-memory.dmp

memory/2320-12-0x0000000000270000-0x000000000027C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:09

Reported

2024-06-17 07:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Processes

C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b750b69afc2060ebe72189e35206ee61_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 50.121.220.50:80 tcp
NL 52.142.223.178:80 tcp
PL 51.75.33.122:80 tcp
FR 54.37.42.48:8080 tcp
FR 91.121.54.71:8080 tcp
FR 83.169.21.32:7080 tcp
CA 68.69.155.181:80 tcp

Files

memory/4640-0-0x00000000007C0000-0x00000000007CC000-memory.dmp

memory/4640-5-0x00000000007B0000-0x00000000007B9000-memory.dmp

memory/4640-4-0x0000000000790000-0x0000000000791000-memory.dmp

memory/4640-6-0x00000000007C0000-0x00000000007CC000-memory.dmp