Analysis Overview
SHA256
16c5323730ece2fb025d13b9538c3456b5161a6818c6e8fee5c0d23cc2d22d82
Threat Level: Known bad
The file 3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Emotet
Blocklisted process makes network request
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 15:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 15:49
Reported
2024-07-10 15:51
Platform
win7-20240708-en
Max time kernel
130s
Max time network
140s
Command Line
Signatures
Emotet
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Phfvfxueatdeqps\ffaxzrbmrwlqsu.zfr | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Phfvfxueatdeqps\ffaxzrbmrwlqsu.zfr",MSIhQtRL
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Phfvfxueatdeqps\ffaxzrbmrwlqsu.zfr",#1
Network
| Country | Destination | Domain | Proto |
| RO | 84.232.229.24:80 | tcp | |
| RO | 84.232.229.24:80 | tcp | |
| FR | 51.255.203.164:8080 | tcp | |
| FR | 51.255.203.164:8080 | tcp | |
| DE | 217.160.169.110:8080 | tcp | |
| DE | 217.160.169.110:8080 | tcp |
Files
memory/2308-1-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2308-0-0x00000000000C0000-0x00000000000E1000-memory.dmp
memory/2308-2-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1724-3-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1768-4-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1768-5-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1768-6-0x0000000010000000-0x0000000010024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 15:49
Reported
2024-07-10 15:51
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Emotet
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Weoupyqqcmau\emnpijggyed.gtk | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3144 wrote to memory of 3376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3144 wrote to memory of 3376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3144 wrote to memory of 3376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3376 wrote to memory of 880 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3376 wrote to memory of 880 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3376 wrote to memory of 880 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Weoupyqqcmau\emnpijggyed.gtk",zrZYuRlDXsO
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/3376-0-0x0000000000F70000-0x0000000000F91000-memory.dmp
memory/3376-1-0x0000000010000000-0x0000000010024000-memory.dmp
memory/3376-3-0x0000000010000000-0x0000000010024000-memory.dmp
C:\Windows\SysWOW64\Weoupyqqcmau\emnpijggyed.gtk
| MD5 | 3560f77ebc1e8ca452b3c8c2b3ab2f55 |
| SHA1 | d72e197548dddb39e6e900905ba7f82a40d65e0b |
| SHA256 | 16c5323730ece2fb025d13b9538c3456b5161a6818c6e8fee5c0d23cc2d22d82 |
| SHA512 | 301588fd4fbcfccfff0eaa07ed2a01ef86099f9e40a902a7acfce303814b6278401b291eceae50b0233013638e5a560f28b1a62fcf7a26d139bd8ec2714a28a1 |