Malware Analysis Report

2024-10-18 21:13

Sample ID 240710-s9de4awdpp
Target 3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118
SHA256 16c5323730ece2fb025d13b9538c3456b5161a6818c6e8fee5c0d23cc2d22d82
Tags
emotet epoch1 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16c5323730ece2fb025d13b9538c3456b5161a6818c6e8fee5c0d23cc2d22d82

Threat Level: Known bad

The file 3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

emotet epoch1 banker trojan

Emotet

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 15:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 15:49

Reported

2024-07-10 15:51

Platform

win7-20240708-en

Max time kernel

130s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1

Signatures

Emotet

trojan banker emotet

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Phfvfxueatdeqps\ffaxzrbmrwlqsu.zfr C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Phfvfxueatdeqps\ffaxzrbmrwlqsu.zfr",MSIhQtRL

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Phfvfxueatdeqps\ffaxzrbmrwlqsu.zfr",#1

Network

Country Destination Domain Proto
RO 84.232.229.24:80 tcp
RO 84.232.229.24:80 tcp
FR 51.255.203.164:8080 tcp
FR 51.255.203.164:8080 tcp
DE 217.160.169.110:8080 tcp
DE 217.160.169.110:8080 tcp

Files

memory/2308-1-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2308-0-0x00000000000C0000-0x00000000000E1000-memory.dmp

memory/2308-2-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1724-3-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1768-4-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1768-5-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1768-6-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 15:49

Reported

2024-07-10 15:51

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1

Signatures

Emotet

trojan banker emotet

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Weoupyqqcmau\emnpijggyed.gtk C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 3376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 3376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 3376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3376 wrote to memory of 880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3376 wrote to memory of 880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3376 wrote to memory of 880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3560f77ebc1e8ca452b3c8c2b3ab2f55_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Weoupyqqcmau\emnpijggyed.gtk",zrZYuRlDXsO

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3376-0-0x0000000000F70000-0x0000000000F91000-memory.dmp

memory/3376-1-0x0000000010000000-0x0000000010024000-memory.dmp

memory/3376-3-0x0000000010000000-0x0000000010024000-memory.dmp

C:\Windows\SysWOW64\Weoupyqqcmau\emnpijggyed.gtk

MD5 3560f77ebc1e8ca452b3c8c2b3ab2f55
SHA1 d72e197548dddb39e6e900905ba7f82a40d65e0b
SHA256 16c5323730ece2fb025d13b9538c3456b5161a6818c6e8fee5c0d23cc2d22d82
SHA512 301588fd4fbcfccfff0eaa07ed2a01ef86099f9e40a902a7acfce303814b6278401b291eceae50b0233013638e5a560f28b1a62fcf7a26d139bd8ec2714a28a1