Malware Analysis Report

2024-09-22 22:21

Sample ID 240618-j74d3ayfrk
Target bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118
SHA256 d5c0a411af657f6a0b3fe287ae0b30722817644bc72c684c30abb1934385ae85
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5c0a411af657f6a0b3fe287ae0b30722817644bc72c684c30abb1934385ae85

Threat Level: Known bad

The file bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Emotet payload

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:19

Reported

2024-06-18 08:22

Platform

win7-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe"

Network

Country Destination Domain Proto
AU 202.22.141.45:80 tcp
AU 202.22.141.45:80 tcp
FR 37.187.161.206:8080 tcp
FR 37.187.161.206:8080 tcp
TH 202.29.239.162:443 tcp
TH 202.29.239.162:443 tcp

Files

memory/2888-4-0x0000000000390000-0x00000000003A0000-memory.dmp

memory/2888-0-0x00000000002F0000-0x0000000000302000-memory.dmp

memory/2888-7-0x00000000002E0000-0x00000000002EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 08:19

Reported

2024-06-18 08:22

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PSHED\webservices.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\PSHED\webservices.exe C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\PSHED\webservices.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bab3a59818b377a3e6645a7abf3c3834_JaffaCakes118.exe"

C:\Windows\SysWOW64\PSHED\webservices.exe

"C:\Windows\SysWOW64\PSHED\webservices.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.250:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 250.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
AU 202.22.141.45:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
FR 37.187.161.206:8080 tcp
TH 202.29.239.162:443 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
RU 80.87.201.221:7080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RO 82.76.111.249:443 tcp
US 216.47.196.104:80 tcp
N/A 20.42.65.91:443 tcp

Files

memory/1848-4-0x00000000007D0000-0x00000000007E0000-memory.dmp

memory/1848-0-0x0000000002300000-0x0000000002312000-memory.dmp

memory/1848-7-0x00000000007C0000-0x00000000007CF000-memory.dmp

C:\Windows\SysWOW64\PSHED\webservices.exe

MD5 bab3a59818b377a3e6645a7abf3c3834
SHA1 e0ed543dd5f8eac50f24607ceb4cd2957ae55b3e
SHA256 d5c0a411af657f6a0b3fe287ae0b30722817644bc72c684c30abb1934385ae85
SHA512 d9e2b9cbaa56206ca04a9920500aa899eaf3c470eeea37f57b78c736510da707d53d51368ca0ec1aaf4c32a146ec1009630e6b4fd7274842d28deeae0c64dddd

memory/1848-9-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1992-10-0x00000000021F0000-0x0000000002202000-memory.dmp

memory/1992-14-0x00000000006B0000-0x00000000006C0000-memory.dmp