Malware Analysis Report

2024-10-18 21:14

Sample ID 240709-lkyleazcmc
Target 2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118
SHA256 5f8a58e4921892171b5e17cd90631408fd62797e66d199ffe82b4ac6f00f92f5
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f8a58e4921892171b5e17cd90631408fd62797e66d199ffe82b4ac6f00f92f5

Threat Level: Known bad

The file 2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 09:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 09:36

Reported

2024-07-09 12:30

Platform

win7-20240704-en

Max time kernel

143s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1

Signatures

Emotet

trojan banker emotet

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Krivurdjh\gttqqrdloovl.qjc C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Krivurdjh\gttqqrdloovl.qjc",nPDSOQmiXNRiX

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Krivurdjh\gttqqrdloovl.qjc",#1

Network

Country Destination Domain Proto
RO 84.232.229.24:80 tcp
RO 84.232.229.24:80 tcp
FR 51.255.203.164:8080 tcp
FR 51.255.203.164:8080 tcp
DE 217.160.169.110:8080 tcp
DE 217.160.169.110:8080 tcp

Files

memory/2444-0-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2444-1-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2444-2-0x0000000010000000-0x0000000010024000-memory.dmp

memory/548-3-0x0000000010000000-0x0000000010024000-memory.dmp

memory/548-4-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2060-5-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2060-6-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2060-7-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 09:36

Reported

2024-07-09 12:30

Platform

win10v2004-20240704-en

Max time kernel

134s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1

Signatures

Emotet

trojan banker emotet

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ewvtyh\wvnef.mxn C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd8b79298b2379b06c7a53f66210f07_JaffaCakes118.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,18261153038209191383,10347744459236715365,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ewvtyh\wvnef.mxn",ExUncJPB

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1212-1-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1212-0-0x0000000000690000-0x00000000006B1000-memory.dmp

memory/1212-3-0x0000000010000000-0x0000000010024000-memory.dmp

C:\Windows\SysWOW64\Ewvtyh\wvnef.mxn

MD5 2fd8b79298b2379b06c7a53f66210f07
SHA1 b1d908d7269c0ad8a6a199c7f8ba11a135aa0b5f
SHA256 5f8a58e4921892171b5e17cd90631408fd62797e66d199ffe82b4ac6f00f92f5
SHA512 e14ca65290b46720ad589d7a9db60bc489220291f97cf25b230f0be43a2871030f33e5ac199bdb30b3666645763bf2633b7f742bd94e622ce5c4248d54a06437