Malware Analysis Report

2025-01-03 05:37

Sample ID 240714-wcd7xatbrc
Target 46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118
SHA256 b3ea2eb443529e63babd54926a44d3d269a564972beca227ad47ccc59e767da9
Tags
emotet banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3ea2eb443529e63babd54926a44d3d269a564972beca227ad47ccc59e767da9

Threat Level: Known bad

The file 46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet banker trojan

Emotet

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 17:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 17:46

Reported

2024-07-14 17:48

Platform

win7-20240704-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\devguids.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecisionReason = "1" C:\Windows\SysWOW64\devguids.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecision = "0" C:\Windows\SysWOW64\devguids.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecisionReason = "1" C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\devguids.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\devguids.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadDecisionTime = e08df7cc15d6da01 C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\devguids.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\devguids.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\devguids.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1}\52-1b-c5-8d-86-5d C:\Windows\SysWOW64\devguids.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecisionTime = e08df7cc15d6da01 C:\Windows\SysWOW64\devguids.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d\WpadDecision = "0" C:\Windows\SysWOW64\devguids.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\devguids.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\devguids.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0092000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-1b-c5-8d-86-5d C:\Windows\SysWOW64\devguids.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\devguids.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69E95BF7-C33A-4383-BC4A-61E2D945B5D1} C:\Windows\SysWOW64\devguids.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe"

C:\Windows\SysWOW64\devguids.exe

"C:\Windows\SysWOW64\devguids.exe"

C:\Windows\SysWOW64\devguids.exe

"C:\Windows\SysWOW64\devguids.exe"

Network

Country Destination Domain Proto
LT 212.122.71.196:995 tcp
LT 212.122.71.196:995 tcp
TH 58.9.168.7:990 tcp
TH 58.9.168.7:990 tcp
US 73.183.131.231:990 tcp
US 73.183.131.231:990 tcp

Files

memory/2704-0-0x00000000003A0000-0x00000000003B2000-memory.dmp

memory/2704-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2780-2-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2704-4-0x00000000003A0000-0x00000000003B2000-memory.dmp

memory/2780-5-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3036-6-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2724-7-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2780-9-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2724-10-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2724-11-0x0000000000400000-0x0000000000415000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 17:46

Reported

2024-07-14 17:48

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\wcssource.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\wcssource.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\wcssource.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\wcssource.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\wcssource.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\wcssource.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\wcssource.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\46dc2c76f068aec1a2c932c6305a5cd1_JaffaCakes118.exe"

C:\Windows\SysWOW64\wcssource.exe

"C:\Windows\SysWOW64\wcssource.exe"

C:\Windows\SysWOW64\wcssource.exe

"C:\Windows\SysWOW64\wcssource.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 173.3.29.123:7080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
ZA 105.185.141.205:80 tcp
IE 52.111.236.23:443 tcp
US 207.255.210.196:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
AR 190.211.207.11:443 tcp
TR 85.104.59.244:20 tcp

Files

memory/4640-0-0x00000000021A0000-0x00000000021B2000-memory.dmp

memory/4640-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4184-2-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4184-4-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4640-5-0x00000000021A0000-0x00000000021B2000-memory.dmp

memory/3000-6-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2556-7-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4184-9-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2556-10-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2556-11-0x0000000000400000-0x0000000000415000-memory.dmp