Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-n77tpshj3z
Target JaffaCakes118_1c28a7513f89aed698f1b82675b03c68
SHA256 139b3551ddc564eb622d8d6118404d4f5e3e6d107009966288c1942cc22a3f43
Tags
berbew credential_access discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

139b3551ddc564eb622d8d6118404d4f5e3e6d107009966288c1942cc22a3f43

Threat Level: Known bad

The file JaffaCakes118_1c28a7513f89aed698f1b82675b03c68 was found to be: Known bad.

Malicious Activity Summary

berbew credential_access discovery persistence spyware stealer

Berbew family

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:03

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:05

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A
N/A N/A C:\Windows\sys32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe N/A
File created C:\Windows\sys32.exe C:\Windows\sys32.exe N/A
File created C:\Windows\outlook.exe C:\Windows\sys32.exe N/A
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\crc32.cfg C:\Windows\outlook.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\outlook.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\outlook.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sys32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\sys32.exe

C:\Windows\outlook.exe

C:\Windows\outlook.exe

C:\Windows\sys32.exe

C:\Windows\sys32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 31476

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 smtp.google.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 inbound-reply.s7.exacttarget.com udp
BE 108.177.15.26:25 smtp.google.com tcp
DE 142.250.147.27:25 aspmx3.googlemail.com tcp
DE 142.250.147.27:25 aspmx3.googlemail.com tcp
US 136.147.189.244:25 inbound-reply.s7.exacttarget.com tcp
US 52.101.11.7:25 microsoft-com.mail.protection.outlook.com tcp
US 52.101.11.7:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 nokia-com.mail.protection.outlook.com udp
NL 52.101.73.19:25 nokia-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4288-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/5092-10-0x0000000000400000-0x000000000040C000-memory.dmp

memory/5092-12-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\sys32.exe

MD5 b1c0a320b62c56df4fb56be2b4973254
SHA1 cf8ec4bacaf07e1bca05c435620685d638070301
SHA256 054b80c98073f876b254f96fd6ad3b45e1ae1ede23f52e085f2f02617cc080b4
SHA512 fe030a5b22d7bed52d8f502223880f19fd6f1e3f97258ac0ff4d8c2fe87ed1faf23e1a1714d28e818659db4dccaad66f6955e92571c33a23d0f9e13546b1a464

C:\Windows\outlook.cfg

MD5 43fefd4615f7dba648a96e7c74da4666
SHA1 072635da71eb0c446623ee07f21db15348f2eecc
SHA256 94a6260a8ca3afb071c691da68c0d70e70c066001b3250652920ad84ed1ee860
SHA512 04d4af58e331d8f1e18ce03f04b09c3c3ab2e156f61fa834328ac18231eb2bb2c4b107e5b46995bc455260beea2f143faca59ce95a1332c9eae021cc9826fac2

C:\Windows\outlook.cfg

MD5 808e6886fc4b027081c6f851af2c81e6
SHA1 d6b5aded8baa6ef97a1382006c24631392af8852
SHA256 c03e2b54c810c055b305e22f04eecf5ff2439c9f5953da228b1c515f3e89cbb2
SHA512 3ca2f224ad68642e535758120277f98b2aa85d4ac6299512e7a8d0559e2abe85bef722920270a800e925a04cf2ed219707a72bf3f924d3c8a6516d1a0d8d3a62

C:\Windows\outlook.cfg

MD5 0e3206001b5237b73c9c92cb9b23bb0d
SHA1 b078310ce5a6d02fe41126a06dbcd8f8147dfeb2
SHA256 4c1baf8a312a5340fad74fb57156f9459bd4b39a775eaa7bcc431450718a73b6
SHA512 869cd1b57183f21d81c763bc6b4197735341f0c81a079c5298024e8bfa9be5babf4e26f764847fb8c7f771c936678382f8d57dbbc9cf0eacb260380e307f32f1

memory/4288-89-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.cfg

MD5 1d7e0439e6fdf742fa91d32e8e0c8b2d
SHA1 9fdd945909cd22c0989d3894175fd503244ecb47
SHA256 9a22632b4e477e7ca43c9d57052ede0b6e088d47c631fe94816ac29ab9ac3ee0
SHA512 450aeaff404a2ff6c7c2fb55c5efcb92d13eeb39d3ecf8124dad91a17daaee01f25bb57d60f8ddff7873700530be01cb2350e04b8dd3db7aaa1db9a08cc73bf9

memory/2744-106-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2744-127-0x0000000000400000-0x000000000047E000-memory.dmp