Malware Analysis Report

2024-09-22 22:21

Sample ID 240617-yhxbsawbmk
Target b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118
SHA256 dda9f44bce3400c926aa5263bf9640dbdb6599f5f33db219deac1da0de4568fa
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dda9f44bce3400c926aa5263bf9640dbdb6599f5f33db219deac1da0de4568fa

Threat Level: Known bad

The file b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 19:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 19:47

Reported

2024-06-17 19:50

Platform

win7-20240419-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\wsatrns.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecisionReason = "1" C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\32-0d-03-16-96-cc C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F} C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecision = "0" C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00dc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecisionTime = e0db3149efc0da01 C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecisionReason = "1" C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\wsatrns.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecisionTime = e0db3149efc0da01 C:\Windows\SysWOW64\wsatrns.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecision = "0" C:\Windows\SysWOW64\wsatrns.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wsatrns.exe N/A
N/A N/A C:\Windows\SysWOW64\wsatrns.exe N/A
N/A N/A C:\Windows\SysWOW64\wsatrns.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe

--e879b88c

C:\Windows\SysWOW64\wsatrns.exe

"C:\Windows\SysWOW64\wsatrns.exe"

C:\Windows\SysWOW64\wsatrns.exe

--c0e3ccde

Network

Country Destination Domain Proto
US 63.248.198.8:80 tcp
US 63.248.198.8:80 tcp
BR 189.19.81.181:443 tcp
BR 189.19.81.181:443 tcp
BG 130.204.247.253:80 tcp
BG 130.204.247.253:80 tcp

Files

memory/1992-5-0x00000000002B0000-0x00000000002C1000-memory.dmp

memory/1992-0-0x00000000002D0000-0x00000000002E7000-memory.dmp

memory/2412-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2412-7-0x00000000002E0000-0x00000000002F7000-memory.dmp

memory/1780-12-0x0000000000340000-0x0000000000357000-memory.dmp

memory/2412-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2440-18-0x00000000003C0000-0x00000000003D7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 19:47

Reported

2024-06-17 19:50

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\hantprint.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\hantprint.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\hantprint.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\hantprint.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\hantprint.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\hantprint.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\hantprint.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b9b6ed320abb4ae798b19b20ed1ea24b_JaffaCakes118.exe

--e879b88c

C:\Windows\SysWOW64\hantprint.exe

"C:\Windows\SysWOW64\hantprint.exe"

C:\Windows\SysWOW64\hantprint.exe

--4abf4a64

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 63.248.198.8:80 tcp
BR 189.19.81.181:443 tcp
BG 130.204.247.253:80 tcp
US 96.126.121.64:443 tcp
US 104.236.137.72:8080 tcp
GB 85.234.143.94:8080 tcp

Files

memory/1924-0-0x0000000002210000-0x0000000002211000-memory.dmp

memory/1924-1-0x0000000002380000-0x0000000002397000-memory.dmp

memory/1924-6-0x0000000002360000-0x0000000002371000-memory.dmp

memory/3860-7-0x0000000002220000-0x0000000002237000-memory.dmp

memory/1548-13-0x0000000000CE0000-0x0000000000CF7000-memory.dmp

memory/4224-19-0x0000000000590000-0x00000000005A7000-memory.dmp

memory/3860-24-0x0000000000400000-0x0000000000438000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\01edac8cae020cd42786e051ebe37b67_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f

MD5 5f22af36aff2e43cacf9a56ba4166900
SHA1 914ede992f5edd5523a3a127a88f7bca60c69665
SHA256 e0671a7dbf4fca7d937ff1300471c5823a57786710faba9f85daf9e843281e3a
SHA512 f7fd666c6dcdae2bf235bb2b00791cf00519579e3181e5e3fd67e70c9a4027d48335b6498f6116efa5e513b7750b0eebeb484a63555d277939923bb48d4f3bc8