Analysis Overview
SHA256
139b3551ddc564eb622d8d6118404d4f5e3e6d107009966288c1942cc22a3f43
Threat Level: Known bad
The file JaffaCakes118_1c28a7513f89aed698f1b82675b03c68 was found to be: Known bad.
Malicious Activity Summary
Berbew family
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:03
Signatures
Berbew family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:03
Reported
2025-07-04 12:05
Platform
win10v2004-20250619-en
Max time kernel
104s
Max time network
137s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
| N/A | N/A | C:\Windows\sys32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | N/A |
| File created | C:\Windows\sys32.exe | C:\Windows\sys32.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Windows\sys32.exe | N/A |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\crc32.cfg | C:\Windows\outlook.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\outlook.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\outlook.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sys32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4288 wrote to memory of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | C:\Windows\outlook.exe |
| PID 4288 wrote to memory of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | C:\Windows\outlook.exe |
| PID 4288 wrote to memory of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe | C:\Windows\outlook.exe |
| PID 4380 wrote to memory of 5092 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\sys32.exe |
| PID 4380 wrote to memory of 5092 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\sys32.exe |
| PID 4380 wrote to memory of 5092 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\sys32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\sys32.exe
C:\Windows\outlook.exe
C:\Windows\outlook.exe
C:\Windows\sys32.exe
C:\Windows\sys32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 31476
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | inbound-reply.s7.exacttarget.com | udp |
| BE | 108.177.15.26:25 | smtp.google.com | tcp |
| DE | 142.250.147.27:25 | aspmx3.googlemail.com | tcp |
| DE | 142.250.147.27:25 | aspmx3.googlemail.com | tcp |
| US | 136.147.189.244:25 | inbound-reply.s7.exacttarget.com | tcp |
| US | 52.101.11.7:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 52.101.11.7:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | nokia-com.mail.protection.outlook.com | udp |
| NL | 52.101.73.19:25 | nokia-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4288-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/5092-10-0x0000000000400000-0x000000000040C000-memory.dmp
memory/5092-12-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\sys32.exe
| MD5 | b1c0a320b62c56df4fb56be2b4973254 |
| SHA1 | cf8ec4bacaf07e1bca05c435620685d638070301 |
| SHA256 | 054b80c98073f876b254f96fd6ad3b45e1ae1ede23f52e085f2f02617cc080b4 |
| SHA512 | fe030a5b22d7bed52d8f502223880f19fd6f1e3f97258ac0ff4d8c2fe87ed1faf23e1a1714d28e818659db4dccaad66f6955e92571c33a23d0f9e13546b1a464 |
C:\Windows\outlook.cfg
| MD5 | 43fefd4615f7dba648a96e7c74da4666 |
| SHA1 | 072635da71eb0c446623ee07f21db15348f2eecc |
| SHA256 | 94a6260a8ca3afb071c691da68c0d70e70c066001b3250652920ad84ed1ee860 |
| SHA512 | 04d4af58e331d8f1e18ce03f04b09c3c3ab2e156f61fa834328ac18231eb2bb2c4b107e5b46995bc455260beea2f143faca59ce95a1332c9eae021cc9826fac2 |
C:\Windows\outlook.cfg
| MD5 | 808e6886fc4b027081c6f851af2c81e6 |
| SHA1 | d6b5aded8baa6ef97a1382006c24631392af8852 |
| SHA256 | c03e2b54c810c055b305e22f04eecf5ff2439c9f5953da228b1c515f3e89cbb2 |
| SHA512 | 3ca2f224ad68642e535758120277f98b2aa85d4ac6299512e7a8d0559e2abe85bef722920270a800e925a04cf2ed219707a72bf3f924d3c8a6516d1a0d8d3a62 |
C:\Windows\outlook.cfg
| MD5 | 0e3206001b5237b73c9c92cb9b23bb0d |
| SHA1 | b078310ce5a6d02fe41126a06dbcd8f8147dfeb2 |
| SHA256 | 4c1baf8a312a5340fad74fb57156f9459bd4b39a775eaa7bcc431450718a73b6 |
| SHA512 | 869cd1b57183f21d81c763bc6b4197735341f0c81a079c5298024e8bfa9be5babf4e26f764847fb8c7f771c936678382f8d57dbbc9cf0eacb260380e307f32f1 |
memory/4288-89-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 1d7e0439e6fdf742fa91d32e8e0c8b2d |
| SHA1 | 9fdd945909cd22c0989d3894175fd503244ecb47 |
| SHA256 | 9a22632b4e477e7ca43c9d57052ede0b6e088d47c631fe94816ac29ab9ac3ee0 |
| SHA512 | 450aeaff404a2ff6c7c2fb55c5efcb92d13eeb39d3ecf8124dad91a17daaee01f25bb57d60f8ddff7873700530be01cb2350e04b8dd3db7aaa1db9a08cc73bf9 |
memory/2744-106-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2744-127-0x0000000000400000-0x000000000047E000-memory.dmp