Malware Analysis Report

2024-09-22 22:22

Sample ID 240618-hxga4sscrb
Target ba5925436e1c88f13708b8cded39d582_JaffaCakes118
SHA256 4b40294e7903166a5eb55caf68250cf8d0d9020193468d23798672fb621b2fb0
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b40294e7903166a5eb55caf68250cf8d0d9020193468d23798672fb621b2fb0

Threat Level: Known bad

The file ba5925436e1c88f13708b8cded39d582_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 07:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 07:06

Reported

2024-06-18 07:09

Platform

win7-20240419-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 24.249.135.121:80 tcp
US 24.249.135.121:80 tcp
DE 185.94.252.13:443 tcp
DE 185.94.252.13:443 tcp
ES 149.62.173.247:8080 tcp
ES 149.62.173.247:8080 tcp
US 50.28.51.143:8080 tcp

Files

memory/2288-0-0x00000000001F0000-0x00000000001FC000-memory.dmp

memory/2288-4-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/2288-5-0x00000000001F0000-0x00000000001FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 07:06

Reported

2024-06-18 07:09

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\perfnet\gpupdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\perfnet\gpupdate.exe C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\perfnet\gpupdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ba5925436e1c88f13708b8cded39d582_JaffaCakes118.exe"

C:\Windows\SysWOW64\perfnet\gpupdate.exe

"C:\Windows\SysWOW64\perfnet\gpupdate.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 115.107.17.2.in-addr.arpa udp
US 24.249.135.121:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 185.94.252.13:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
ES 149.62.173.247:8080 tcp
US 50.28.51.143:8080 tcp
RU 80.249.176.206:80 tcp
FR 5.196.35.138:7080 tcp

Files

memory/2996-0-0x0000000002140000-0x000000000214C000-memory.dmp

memory/2996-4-0x0000000002130000-0x0000000002139000-memory.dmp

C:\Windows\SysWOW64\perfnet\gpupdate.exe

MD5 ba5925436e1c88f13708b8cded39d582
SHA1 fed33ffcb50ddc1fded78d420eabe9c4a7a70fee
SHA256 4b40294e7903166a5eb55caf68250cf8d0d9020193468d23798672fb621b2fb0
SHA512 fe6e15e6515ff080b28eccf016fa59625aeb2188da51fd93e175b3af246d8d835582d2c657ec214eb47e4d7da722131fec8b1ca458a7438d6fd11de26ebbc755

memory/2996-7-0x0000000000700000-0x0000000000708000-memory.dmp

memory/2996-6-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2996-8-0x0000000002340000-0x0000000002431000-memory.dmp

memory/2236-10-0x0000000002290000-0x000000000229C000-memory.dmp

memory/2236-13-0x0000000002290000-0x000000000229C000-memory.dmp

memory/2236-14-0x0000000000690000-0x0000000000698000-memory.dmp

memory/2236-15-0x0000000002180000-0x0000000002271000-memory.dmp