Malware Analysis Report

2025-05-05 21:25

Sample ID 240521-z4qlssaf82
Target 64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118
SHA256 348ef2dd83a99d7bef81112fb3ee9d6abb7bbc6ffe26cb4249fd90df34ab814c
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

348ef2dd83a99d7bef81112fb3ee9d6abb7bbc6ffe26cb4249fd90df34ab814c

Threat Level: Shows suspicious behavior

The file 64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 21:16

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 21:16

Reported

2024-05-21 21:19

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI13122\python38.dll

MD5 c512c6ea9f12847d991ceed6d94bc871
SHA1 52e1ef51674f382263b4d822b8ffa5737755f7e7
SHA256 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6
SHA512 e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

C:\Users\Admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140.dll

MD5 2ebf45da71bd8ef910a7ece7e4647173
SHA1 4ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256 cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512 a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

C:\Users\Admin\AppData\Local\Temp\_MEI13122\base_library.zip

MD5 90ae7f393c7b387e264d5be6c9057f92
SHA1 384a445b35fd5bf48f5585ce3ffc0123501aa1d7
SHA256 5f903b4551e9e7269d9c5c9c496b911c7d319eb7e6b8d98a4f6ad47628500107
SHA512 607974aafed9cdd7bdb85dfca597ac1b407c590a48ef0ecdea3cf411b3a57610be30ca7f8baff7ac4fdafdac449dd2aaf1575aa0140badfb4cd140e457061fd9

C:\Users\Admin\AppData\Local\Temp\_MEI13122\_ctypes.pyd

MD5 c827a20fc5f1f4e0ef9431f29ebf03b4
SHA1 ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d
SHA256 d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d
SHA512 d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

C:\Users\Admin\AppData\Local\Temp\_MEI13122\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI13122\_socket.pyd

MD5 6b59705d8ac80437dd81260443912532
SHA1 d206d9974167eb60fb201f2b5bf9534167f9fb08
SHA256 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648
SHA512 fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

C:\Users\Admin\AppData\Local\Temp\_MEI13122\select.pyd

MD5 441299529d0542d828bafe9ac69c4197
SHA1 da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3
SHA256 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326
SHA512 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 21:16

Reported

2024-05-21 21:19

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39122\python38.dll

MD5 c512c6ea9f12847d991ceed6d94bc871
SHA1 52e1ef51674f382263b4d822b8ffa5737755f7e7
SHA256 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6
SHA512 e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

C:\Users\Admin\AppData\Local\Temp\_MEI39122\VCRUNTIME140.dll

MD5 2ebf45da71bd8ef910a7ece7e4647173
SHA1 4ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256 cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512 a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

C:\Users\Admin\AppData\Local\Temp\_MEI39122\base_library.zip

MD5 90ae7f393c7b387e264d5be6c9057f92
SHA1 384a445b35fd5bf48f5585ce3ffc0123501aa1d7
SHA256 5f903b4551e9e7269d9c5c9c496b911c7d319eb7e6b8d98a4f6ad47628500107
SHA512 607974aafed9cdd7bdb85dfca597ac1b407c590a48ef0ecdea3cf411b3a57610be30ca7f8baff7ac4fdafdac449dd2aaf1575aa0140badfb4cd140e457061fd9

C:\Users\Admin\AppData\Local\Temp\_MEI39122\_ctypes.pyd

MD5 c827a20fc5f1f4e0ef9431f29ebf03b4
SHA1 ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d
SHA256 d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d
SHA512 d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

C:\Users\Admin\AppData\Local\Temp\_MEI39122\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI39122\_socket.pyd

MD5 6b59705d8ac80437dd81260443912532
SHA1 d206d9974167eb60fb201f2b5bf9534167f9fb08
SHA256 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648
SHA512 fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

C:\Users\Admin\AppData\Local\Temp\_MEI39122\select.pyd

MD5 441299529d0542d828bafe9ac69c4197
SHA1 da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3
SHA256 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326
SHA512 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc