Analysis Overview
SHA256
deb12559fd7e424bae5f92a77b828b8f025e4e0410f52641ff8ac3020965f28a
Threat Level: Shows suspicious behavior
The file e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 00:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 00:01
Reported
2024-04-07 00:04
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 52.101.42.9:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 52.101.11.9:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 52.101.10.5:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
Files
memory/2096-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/2096-25-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 9ff2a34c10d73233495c97e67a6f570d |
| SHA1 | 5915653342c94dc03147ee6d561f99d0126f6e1e |
| SHA256 | 2c8db2d988f352266c9645e1f251d53af63a0785989475003d6ed1088ca1fd28 |
| SHA512 | 4a88f7ecb1ac7be4e7e8e907773971910a5c5cc98e9a74e7ce7c0f5b0b28931f3d909753efdaaac20fe53cba70a130cec18126004c509802df1386741e453811 |
memory/2464-53-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2464-71-0x0000000000400000-0x000000000047E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 00:01
Reported
2024-04-07 00:04
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\crc32.cfg | C:\Windows\outlook.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\outlook.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3316 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | C:\Windows\outlook.exe |
| PID 3316 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | C:\Windows\outlook.exe |
| PID 3316 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe | C:\Windows\outlook.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2444 -ip 2444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 29860
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 142.251.9.27:25 | aspmx3.googlemail.com | tcp |
| US | 104.47.54.36:25 | microsoft-com.mail.protection.outlook.com | tcp |
| BE | 64.233.184.27:25 | smtp.google.com | tcp |
| US | 8.8.8.8:53 | inbound-reply.s7.exacttarget.com | udp |
| US | 136.147.189.244:25 | inbound-reply.s7.exacttarget.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | nokia-com.mail.protection.outlook.com | udp |
| NL | 52.101.73.30:25 | nokia-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | incoming-relays.illinois.edu | udp |
| US | 148.163.139.28:25 | incoming-relays.illinois.edu | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | letterbox.kde.org | udp |
| GB | 46.43.1.242:25 | letterbox.kde.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3316-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/3316-18-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | c548d9a5d0fde51bcf2169feb9309fba |
| SHA1 | 756d7fc358d82835985b3870d5b656702f06c1a3 |
| SHA256 | b839008ae42afa86deea68007d71114a7cc73e6d7b02c9276f09a8efb472dc90 |
| SHA512 | 5e66456ba7f83cd83360ac1a02bc4de67dd91e6b80294da3350622ae92a67233e9d7a8b62f40b5b484b6e8008575c50a384852d1a6b4e3597699ccc095575591 |
C:\Windows\outlook.cfg
| MD5 | aa3dbfdafa8edddee0363fc0bdcea206 |
| SHA1 | e5960ee16ab366baaaf0ce6f647978c641850a36 |
| SHA256 | 84dc77fc6077370f1b8a2dc9b799117156e4a8b87dbf8d25df06d5bd93b2be1a |
| SHA512 | c13c4795d72f5dbb695d5af61a6f7c3102c2574e4ea30944b8d1c399045f49a558c602b6f5a8e502b035da49aa2420d3ecb5ab80b5afac33212a1fa58f83c6aa |
C:\Windows\outlook.cfg
| MD5 | b333ba8d9683268d501d940f77e245d5 |
| SHA1 | ffb1ac0aec5ead142cfe1e4f18712c6f6fd0020f |
| SHA256 | 6394d53052355dd8695a3d706e80577678e4674ef9757d14ef6b5ba631a2db3a |
| SHA512 | ad69bb8c2e70f4347090a61c8c371dc96f4f7801433a5d6c709ea41faef77bc44fad60e05db7460b7a1f73f2924c1e38385141516ef8ec3a39d4edc0619a62c7 |
memory/2444-102-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 09d4829cfdfcdd2814ecde5e22c5ce3b |
| SHA1 | afca47e68a2cb8cf3249c6adf7d803e770b8fe04 |
| SHA256 | 1bd9ad9d396b02eed3723e739ef02667fbc66a6adb53208d701ee7c8d09f03ab |
| SHA512 | 6b58e26081b80ce74b8955ae2ce5163cba80c89e6d27ac6b98716bcc7ff0b161240c86e8b660e411f1752fc323c23516022dcc06c3c6606e7a6b58d0cf2d72bc |
memory/2444-118-0x0000000000400000-0x000000000047E000-memory.dmp