Malware Analysis Report

2024-10-19 10:22

Sample ID 240617-zcwzhatalg
Target b9ebda873738c0085d326db3fb580585_JaffaCakes118
SHA256 ec61ad3dc501ed0fdecfe3abd8916e1ce6246ceb99cfa9f8f9736aad0ac5529b
Tags
emotet banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec61ad3dc501ed0fdecfe3abd8916e1ce6246ceb99cfa9f8f9736aad0ac5529b

Threat Level: Known bad

The file b9ebda873738c0085d326db3fb580585_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet banker trojan

Emotet

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:34

Reported

2024-06-17 20:37

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"

C:\Windows\SysWOW64\channelpowr.exe

"C:\Windows\SysWOW64\channelpowr.exe"

Network

N/A

Files

memory/2852-4-0x0000000001CB0000-0x0000000001CC7000-memory.dmp

memory/2852-0-0x0000000001CB0000-0x0000000001CC7000-memory.dmp

memory/2852-6-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

memory/2852-5-0x0000000001C90000-0x0000000001CA7000-memory.dmp

memory/1904-7-0x0000000000330000-0x0000000000347000-memory.dmp

memory/1904-12-0x0000000000350000-0x0000000000367000-memory.dmp

memory/1904-8-0x0000000000350000-0x0000000000367000-memory.dmp

memory/1904-13-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2852-14-0x0000000001C90000-0x0000000001CA7000-memory.dmp

memory/1904-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1904-17-0x0000000000330000-0x0000000000347000-memory.dmp

memory/1904-20-0x0000000000330000-0x0000000000347000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 20:34

Reported

2024-06-17 20:37

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"

C:\Windows\SysWOW64\catchsketch.exe

"C:\Windows\SysWOW64\catchsketch.exe"

C:\Windows\SysWOW64\catchsketch.exe

"C:\Windows\SysWOW64\catchsketch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 108.246.196.73:80 tcp
US 129.89.95.110:80 tcp
US 129.89.95.199:80 tcp
US 97.89.253.146:80 tcp
US 73.4.58.41:80 tcp

Files

memory/1440-4-0x0000000002530000-0x0000000002547000-memory.dmp

memory/1440-1-0x0000000002530000-0x0000000002547000-memory.dmp

memory/1440-6-0x0000000002550000-0x0000000002560000-memory.dmp

memory/1440-5-0x0000000002510000-0x0000000002527000-memory.dmp

memory/3732-11-0x0000000000740000-0x0000000000757000-memory.dmp

memory/3732-7-0x0000000000740000-0x0000000000757000-memory.dmp

memory/3732-13-0x0000000000760000-0x0000000000770000-memory.dmp

memory/3732-12-0x0000000000720000-0x0000000000737000-memory.dmp

memory/1440-14-0x0000000002510000-0x0000000002527000-memory.dmp

memory/4568-19-0x0000000001250000-0x0000000001267000-memory.dmp

memory/4568-15-0x0000000001250000-0x0000000001267000-memory.dmp

memory/4568-21-0x00000000004E0000-0x00000000004F0000-memory.dmp

memory/4568-20-0x0000000001230000-0x0000000001247000-memory.dmp

memory/3952-26-0x0000000000B60000-0x0000000000B77000-memory.dmp

memory/3952-22-0x0000000000B60000-0x0000000000B77000-memory.dmp

memory/3952-28-0x0000000000780000-0x0000000000790000-memory.dmp

memory/3952-27-0x0000000000760000-0x0000000000777000-memory.dmp

memory/4568-29-0x0000000001230000-0x0000000001247000-memory.dmp

memory/3732-31-0x0000000000720000-0x0000000000737000-memory.dmp

memory/3732-30-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3952-32-0x0000000000760000-0x0000000000777000-memory.dmp