Malware Analysis Report

2024-09-22 22:46

Sample ID 240617-jjwdjsvcrj
Target b772c25ca51e73e98673dd571e465aa4_JaffaCakes118
SHA256 1b36e125727aaa956a3ce21848c8264b2faa4b18bf8f9603a69cd685065a1e44
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b36e125727aaa956a3ce21848c8264b2faa4b18bf8f9603a69cd685065a1e44

Threat Level: Known bad

The file b772c25ca51e73e98673dd571e465aa4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:42

Reported

2024-06-17 07:44

Platform

win7-20240220-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe"

Network

Country Destination Domain Proto
AR 190.192.39.136:80 tcp
AR 190.192.39.136:80 tcp
DE 5.189.168.53:8080 tcp
DE 5.189.168.53:8080 tcp
US 162.241.41.111:7080 tcp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp

Files

memory/2192-0-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2192-4-0x0000000000270000-0x0000000000280000-memory.dmp

memory/2192-7-0x0000000000230000-0x000000000023F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:42

Reported

2024-06-17 07:45

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId\WMPhoto.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId\WMPhoto.exe C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b772c25ca51e73e98673dd571e465aa4_JaffaCakes118.exe"

C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId\WMPhoto.exe

"C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId\WMPhoto.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
AR 190.192.39.136:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 5.189.168.53:8080 tcp
US 162.241.41.111:7080 tcp
CO 190.85.46.52:7080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
AR 190.190.15.20:80 tcp
AR 181.95.133.104:80 tcp

Files

memory/2528-1-0x0000000001F60000-0x0000000001F72000-memory.dmp

memory/2528-4-0x0000000001F80000-0x0000000001F90000-memory.dmp

memory/2528-7-0x0000000000490000-0x000000000049F000-memory.dmp

C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId\WMPhoto.exe

MD5 b772c25ca51e73e98673dd571e465aa4
SHA1 7492bea26e064eeb61c324f8164a2f2b0f525e16
SHA256 1b36e125727aaa956a3ce21848c8264b2faa4b18bf8f9603a69cd685065a1e44
SHA512 0be35eb20aa89f12707a52931c1bb28a05c7a1a90343fde958c1eb714fc36c4391b647d9d6453a50c10feeab833e04b5f9503242685ab575a169f3c4d9cf63d7

memory/2528-9-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3508-14-0x00000000005E0000-0x00000000005F0000-memory.dmp

memory/3508-10-0x0000000000570000-0x0000000000582000-memory.dmp