Analysis Overview
SHA256
5f8a58e4921892171b5e17cd90631408fd62797e66d199ffe82b4ac6f00f92f5
Threat Level: Known bad
The file 2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Blocklisted process makes network request
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 09:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 09:36
Reported
2024-07-09 12:30
Platform
win7-20240704-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Emotet
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Krivurdjh\gttqqrdloovl.qjc | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Krivurdjh\gttqqrdloovl.qjc",nPDSOQmiXNRiX
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Krivurdjh\gttqqrdloovl.qjc",#1
Network
| Country | Destination | Domain | Proto |
| RO | 84.232.229.24:80 | tcp | |
| RO | 84.232.229.24:80 | tcp | |
| FR | 51.255.203.164:8080 | tcp | |
| FR | 51.255.203.164:8080 | tcp | |
| DE | 217.160.169.110:8080 | tcp | |
| DE | 217.160.169.110:8080 | tcp |
Files
memory/2444-0-0x0000000000120000-0x0000000000141000-memory.dmp
memory/2444-1-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2444-2-0x0000000010000000-0x0000000010024000-memory.dmp
memory/548-3-0x0000000010000000-0x0000000010024000-memory.dmp
memory/548-4-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2060-5-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2060-6-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2060-7-0x0000000010000000-0x0000000010024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 09:36
Reported
2024-07-09 12:30
Platform
win10v2004-20240704-en
Max time kernel
134s
Max time network
130s
Command Line
Signatures
Emotet
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ewvtyh\wvnef.mxn | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 552 wrote to memory of 1212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 552 wrote to memory of 1212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 552 wrote to memory of 1212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1556 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1556 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1556 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,18261153038209191383,10347744459236715365,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ewvtyh\wvnef.mxn",ExUncJPB
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1212-1-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1212-0-0x0000000000690000-0x00000000006B1000-memory.dmp
memory/1212-3-0x0000000010000000-0x0000000010024000-memory.dmp
C:\Windows\SysWOW64\Ewvtyh\wvnef.mxn
| MD5 | 2fd8b79298b2379b06c7a53f66210f07 |
| SHA1 | b1d908d7269c0ad8a6a199c7f8ba11a135aa0b5f |
| SHA256 | 5f8a58e4921892171b5e17cd90631408fd62797e66d199ffe82b4ac6f00f92f5 |
| SHA512 | e14ca65290b46720ad589d7a9db60bc489220291f97cf25b230f0be43a2871030f33e5ac199bdb30b3666645763bf2633b7f742bd94e622ce5c4248d54a06437 |