Analysis Overview
SHA256
e0653dc038521d02b48f6e69f3b62836d87eb4b4305e6a5f4540ad72b7cb5103
Threat Level: Shows suspicious behavior
The file a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 19:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 19:32
Reported
2024-04-03 19:34
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 52.101.42.14:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 52.101.42.14:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 52.101.194.4:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | natalya.videolan.org | udp |
| FR | 213.36.253.119:25 | natalya.videolan.org | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | mx-in-vib.apple.com | udp |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 17.57.170.2:25 | mx-in-vib.apple.com | tcp |
| US | 104.47.53.36:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | adobe.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | adobe.mail.protection.outlook.com | udp |
| US | 52.101.10.12:25 | adobe.mail.protection.outlook.com | tcp |
| US | 52.101.8.46:25 | adobe.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | domain-com.mail.protection.outlook.com | udp |
| US | 52.101.11.2:25 | domain-com.mail.protection.outlook.com | tcp |
Files
memory/2032-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/2032-13-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 26afbe0465cd2bd92812d6d0e7e54412 |
| SHA1 | 8de1830535c8ccc7748268587f5de15e52c38b94 |
| SHA256 | 301fb91df2be29d5e77d085c6a016b83b735a06a019d4229474328b7461a8e0c |
| SHA512 | 703bcd559d1f02d6c3fb696111811baff843d2809e56ff481d19405f9fb71fc3a42a597717921a9c177dd0899b15f51296d029e75fa3001b3ce307f17509d761 |
C:\Windows\outlook.cfg
| MD5 | b191c4fdf8d4fe2d5878a30754abcb5d |
| SHA1 | 0e25396f2f77453d8380ea2f11c01a7d77c45915 |
| SHA256 | 2191d0304ea522767d36df2ec3d6cb3ed1ebf78b2ead2e5d963179ff995105a0 |
| SHA512 | 85f1335284257318336de11e7590af2d05f596bbe67ebbcad907d556259dee0a5ebf5b86a98d299f0678b3bf087f672ad9bce986786a3eeeec829bc5ce2a7146 |
memory/2084-38-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2084-52-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2084-64-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2084-67-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2084-69-0x0000000000400000-0x000000000047E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 19:32
Reported
2024-04-03 19:34
Platform
win10v2004-20240226-en
Max time kernel
99s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\crc32.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\outlook.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | C:\Windows\outlook.exe |
| PID 3440 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | C:\Windows\outlook.exe |
| PID 3440 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe | C:\Windows\outlook.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 29868
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | inbound-reply.s7.exacttarget.com | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | nokia-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | tcp | |
| BE | 74.125.206.27:25 | smtp.google.com | tcp |
| US | 104.47.53.36:25 | microsoft-com.mail.protection.outlook.com | tcp |
| NL | 52.101.73.16:25 | nokia-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incoming-relays.illinois.edu | udp |
| US | 148.163.135.28:25 | incoming-relays.illinois.edu | tcp |
| US | 136.147.189.244:25 | inbound-reply.s7.exacttarget.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | letterbox.kde.org | udp |
| GB | 46.43.1.242:25 | letterbox.kde.org | tcp |
| US | 8.8.8.8:53 | 227.97.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
Files
memory/3440-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/3440-18-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 12237054cc8238d84b88008e1c1006e2 |
| SHA1 | 65d7b196d91bae9ce7ab22e1dbacbd5c1b1948a3 |
| SHA256 | 96acb3266157d6bb005803dc626c192ab8248db4d8d233de8b716d21bc552ab7 |
| SHA512 | 74172dbae4452eac43390eecebc0888ee1b586df23252b372e85106f999004b12796221b31cfb7ce2a712dd9fe93be8529276dc97159d7afb149e800dc5cfdb9 |
C:\Windows\outlook.cfg
| MD5 | 0aaa44531a2e47cbfa8111c6aacdffcd |
| SHA1 | b1b8f2d32fd4413a80add3dbf931c8ee3c60e53c |
| SHA256 | 48af9029977a0db8ba033edf2bea30496473f8ca065cdb742591f630d2d6ccdc |
| SHA512 | 26bd225853ac962e59bea6aff56733a7efc1f632bda128e8460481563254ec117982897cf0685276e40d5fcc3632e59e1319f1dcc57317ec80cf8a4a4d141fb3 |
memory/4388-102-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | d2093a543cecc7ce23df422c9baa662a |
| SHA1 | d4006a024e839dc6c405865a99031e1faf4aa91a |
| SHA256 | 3108a746201a9c58797d2ede4c27879a806f73024dbff9a47b38a1ab2738d04e |
| SHA512 | 51a08dded07a7cff6b7969b79cafe3ce5533aa90450c56e75101061dd3a74a173e8574dccec13fc9f7d80790d3e6110d8367f50079b4e6f3a668f27e651ca6b9 |
memory/4388-118-0x0000000000400000-0x000000000047E000-memory.dmp