Analysis Overview
SHA256
0af60ba74492baa301258fb783bdd28b2b9b0594985f0eefd2aea353082bd18c
Threat Level: Shows suspicious behavior
The file a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 18:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 18:46
Reported
2024-04-03 18:48
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 52.101.40.6:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 52.101.9.14:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 52.101.194.17:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | natalya.videolan.org | udp |
| FR | 213.36.253.119:25 | natalya.videolan.org | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | mx-in-vib.apple.com | udp |
| US | 8.8.8.8:53 | adobe.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | adobe.mail.protection.outlook.com | udp |
| US | 17.57.170.2:25 | mx-in-vib.apple.com | tcp |
| US | 52.101.8.46:25 | adobe.mail.protection.outlook.com | tcp |
| US | 52.101.9.0:25 | adobe.mail.protection.outlook.com | tcp |
| US | 52.101.11.0:25 | microsoft-com.mail.protection.outlook.com | tcp |
Files
memory/1712-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/1712-15-0x0000000000400000-0x000000000040C000-memory.dmp
memory/852-40-0x0000000000400000-0x000000000047E000-memory.dmp
memory/852-54-0x0000000000400000-0x000000000047E000-memory.dmp
memory/852-66-0x0000000000400000-0x000000000047E000-memory.dmp
memory/852-70-0x0000000000400000-0x000000000047E000-memory.dmp
memory/852-71-0x0000000000400000-0x000000000047E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 18:46
Reported
2024-04-03 18:49
Platform
win10v2004-20240319-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\crc32.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\outlook.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | C:\Windows\outlook.exe |
| PID 4908 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | C:\Windows\outlook.exe |
| PID 4908 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe | C:\Windows\outlook.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 39664
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4016 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.184.56.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | inbound-reply.s7.exacttarget.com | udp |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| US | 52.101.8.49:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 136.147.189.244:25 | inbound-reply.s7.exacttarget.com | tcp |
| BE | 108.177.15.27:25 | smtp.google.com | tcp |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | letterbox.kde.org | udp |
| US | 8.8.8.8:53 | incoming-relays.illinois.edu | udp |
| US | 8.8.8.8:53 | nokia-com.mail.protection.outlook.com | udp |
| GB | 46.43.1.242:25 | letterbox.kde.org | tcp |
| US | 148.163.135.28:25 | incoming-relays.illinois.edu | tcp |
| IE | 52.101.68.36:25 | nokia-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/4908-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/4908-8-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2392-19-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 1b791a9deb6baa82865c97051064d29b |
| SHA1 | 0b8158c8fba3bff48214109c05a83fb0441ec14c |
| SHA256 | 6b41b33f76fe9ca2e5d9c25b5da32dc66eac89eceb46f227f6794db400fe40bc |
| SHA512 | 5dc78f4107602291018baf427e54b7d18a9fc0f7d577ccf828e17ca791b15f1c2440a7b32505abae829caeb1e8730880a5f3209ac97c8d1bdbe38deaa643b04f |
C:\Windows\outlook.cfg
| MD5 | c82022d76bfb8965c1b3b3cf9ccd68a4 |
| SHA1 | 948c73c98c4a0d8ce550ed595c499f4dc91a68a4 |
| SHA256 | 89f4b501f7f9ca8d9ed2c2ce8beb31cf95a0ba0a8fdcce98146b433832f042e1 |
| SHA512 | 596e85a7cb62f8feccdd9423eadbdf79d9077eb5a7fec8837bc44339b739c86636ce431720519f8ca3e0fd95b4325ff0d8394eea90a30f79a7a862dfcf8f313c |
C:\Windows\outlook.cfg
| MD5 | 02096ea090aecdb16b13da71c8eb1198 |
| SHA1 | 260a658884cd0c1fe0d01b8b0913655535489561 |
| SHA256 | 8de50c81774b01171d15f54bcde216d9fe78861cf5697fc73b10307dd6b72d17 |
| SHA512 | b4cbe17d740cf47542d82c273faedb9339d4d2e404779320ea2a62e838237353610a19509f48179ff97505ffc45b0fd5ce4b17d3b6888de949b0aa3eb0e0c28e |
C:\Windows\outlook.cfg
| MD5 | ab335f7c69727d9028e4c5c3c5960489 |
| SHA1 | 86ed5a6ab4816538bf29c16b964530f778421bc1 |
| SHA256 | 6285c41eeb4ba18be803af2f800ee74963a304e717a55a50147d80568c4db58d |
| SHA512 | f2ddc3e06f2409d1e1f1e96328c09e7b0f1efd858f0a1b891e9aafae322f565a4239c3f32db5f9f17d0e5c33098af0bdea3ba0968ffd0d62b47ef90177990e40 |
memory/2392-103-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 323c82a0a7326e718a9460e82310a00f |
| SHA1 | 780c63b2928ef6c56890298b79a37ac06edc6a20 |
| SHA256 | 95ec3e379a36e5062ec46a2c40a30a3fbd952f3083d041502e75cb2e5147921f |
| SHA512 | fa2381d7f26b9e46b350ef8719a2c9a8e8965eab7d509d514cca6b3842606e51814537dee8cfea0d63ff6af9aca6343e75a6ef59d9d2f2b509e36fa068a15631 |
memory/2392-124-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2392-125-0x0000000000400000-0x000000000047E000-memory.dmp