Analysis Overview
SHA256
2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958
Threat Level: Known bad
The file 01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet payload
Executes dropped EXE
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 23:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 23:07
Reported
2024-04-26 23:10
Platform
win7-20240419-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1824 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe |
| PID 1824 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe |
| PID 1824 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe |
| PID 1824 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\rpchttp\dmdlgs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"
C:\Windows\SysWOW64\rpchttp\dmdlgs.exe
"C:\Windows\SysWOW64\rpchttp\dmdlgs.exe"
Network
| Country | Destination | Domain | Proto |
| JP | 49.243.9.118:80 | tcp | |
| JP | 49.243.9.118:80 | tcp | |
| US | 162.241.41.111:7080 | tcp | |
| US | 162.241.41.111:7080 | tcp | |
| CO | 190.85.46.52:7080 | tcp | |
| CO | 190.85.46.52:7080 | tcp | |
| US | 162.144.42.60:8080 | tcp |
Files
memory/1824-7-0x00000000002D0000-0x00000000002DF000-memory.dmp
memory/1824-4-0x0000000000300000-0x0000000000310000-memory.dmp
memory/1824-0-0x00000000002E0000-0x00000000002F2000-memory.dmp
memory/1824-9-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\rpchttp\dmdlgs.exe
| MD5 | 01df36c8891a9ce3570cad7f06bc2914 |
| SHA1 | 8fb82853c826f20245bba22edcb0d963ef04f624 |
| SHA256 | 2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958 |
| SHA512 | 66636dc4f45898d8aa2fd1aabf6f027fd4a47dcbba2c62fa9246207a6e8a86c0ca5c40e8f5ecf76e5625ab97755b76e3f169167d3a3b0a582f6dcda7f8d7e8e3 |
memory/2556-14-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2556-10-0x00000000003D0000-0x00000000003E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 23:07
Reported
2024-04-26 23:10
Platform
win10v2004-20240419-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Emotet
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\itircl\netlogon.exe | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\itircl\netlogon.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1596 wrote to memory of 4156 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\itircl\netlogon.exe |
| PID 1596 wrote to memory of 4156 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\itircl\netlogon.exe |
| PID 1596 wrote to memory of 4156 | N/A | C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe | C:\Windows\SysWOW64\itircl\netlogon.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01df36c8891a9ce3570cad7f06bc2914_JaffaCakes118.exe"
C:\Windows\SysWOW64\itircl\netlogon.exe
"C:\Windows\SysWOW64\itircl\netlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| JP | 49.243.9.118:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 162.241.41.111:7080 | tcp | |
| CO | 190.85.46.52:7080 | tcp | |
| US | 162.144.42.60:8080 | tcp | |
| US | 157.245.138.101:7080 | tcp | |
| IN | 103.133.66.57:443 | tcp |
Files
memory/1596-0-0x00000000007B0000-0x00000000007C2000-memory.dmp
memory/1596-4-0x0000000002270000-0x0000000002280000-memory.dmp
memory/1596-7-0x00000000007A0000-0x00000000007AF000-memory.dmp
C:\Windows\SysWOW64\itircl\netlogon.exe
| MD5 | 01df36c8891a9ce3570cad7f06bc2914 |
| SHA1 | 8fb82853c826f20245bba22edcb0d963ef04f624 |
| SHA256 | 2b6997c32bc12b4f9b55a22435d4492125df7bb085d4ec9a2301aec017cd2958 |
| SHA512 | 66636dc4f45898d8aa2fd1aabf6f027fd4a47dcbba2c62fa9246207a6e8a86c0ca5c40e8f5ecf76e5625ab97755b76e3f169167d3a3b0a582f6dcda7f8d7e8e3 |
memory/1596-9-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4156-14-0x0000000002190000-0x00000000021A0000-memory.dmp
memory/4156-10-0x0000000002170000-0x0000000002182000-memory.dmp