Analysis Overview
SHA256
348ef2dd83a99d7bef81112fb3ee9d6abb7bbc6ffe26cb4249fd90df34ab814c
Threat Level: Shows suspicious behavior
The file 64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 21:16
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 21:16
Reported
2024-05-21 21:19
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1312 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
| PID 1312 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
| PID 1312 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
| PID 1312 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI13122\python38.dll
| MD5 | c512c6ea9f12847d991ceed6d94bc871 |
| SHA1 | 52e1ef51674f382263b4d822b8ffa5737755f7e7 |
| SHA256 | 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6 |
| SHA512 | e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822 |
C:\Users\Admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI13122\base_library.zip
| MD5 | 90ae7f393c7b387e264d5be6c9057f92 |
| SHA1 | 384a445b35fd5bf48f5585ce3ffc0123501aa1d7 |
| SHA256 | 5f903b4551e9e7269d9c5c9c496b911c7d319eb7e6b8d98a4f6ad47628500107 |
| SHA512 | 607974aafed9cdd7bdb85dfca597ac1b407c590a48ef0ecdea3cf411b3a57610be30ca7f8baff7ac4fdafdac449dd2aaf1575aa0140badfb4cd140e457061fd9 |
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_ctypes.pyd
| MD5 | c827a20fc5f1f4e0ef9431f29ebf03b4 |
| SHA1 | ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d |
| SHA256 | d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d |
| SHA512 | d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c |
C:\Users\Admin\AppData\Local\Temp\_MEI13122\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI13122\_socket.pyd
| MD5 | 6b59705d8ac80437dd81260443912532 |
| SHA1 | d206d9974167eb60fb201f2b5bf9534167f9fb08 |
| SHA256 | 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648 |
| SHA512 | fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd |
C:\Users\Admin\AppData\Local\Temp\_MEI13122\select.pyd
| MD5 | 441299529d0542d828bafe9ac69c4197 |
| SHA1 | da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3 |
| SHA256 | 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326 |
| SHA512 | 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 21:16
Reported
2024-05-21 21:19
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
104s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3912 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
| PID 3912 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
| PID 3912 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64cb7853734b2c2ec996b0dfb3274870_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI39122\python38.dll
| MD5 | c512c6ea9f12847d991ceed6d94bc871 |
| SHA1 | 52e1ef51674f382263b4d822b8ffa5737755f7e7 |
| SHA256 | 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6 |
| SHA512 | e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822 |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\base_library.zip
| MD5 | 90ae7f393c7b387e264d5be6c9057f92 |
| SHA1 | 384a445b35fd5bf48f5585ce3ffc0123501aa1d7 |
| SHA256 | 5f903b4551e9e7269d9c5c9c496b911c7d319eb7e6b8d98a4f6ad47628500107 |
| SHA512 | 607974aafed9cdd7bdb85dfca597ac1b407c590a48ef0ecdea3cf411b3a57610be30ca7f8baff7ac4fdafdac449dd2aaf1575aa0140badfb4cd140e457061fd9 |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\_ctypes.pyd
| MD5 | c827a20fc5f1f4e0ef9431f29ebf03b4 |
| SHA1 | ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d |
| SHA256 | d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d |
| SHA512 | d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\_socket.pyd
| MD5 | 6b59705d8ac80437dd81260443912532 |
| SHA1 | d206d9974167eb60fb201f2b5bf9534167f9fb08 |
| SHA256 | 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648 |
| SHA512 | fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\select.pyd
| MD5 | 441299529d0542d828bafe9ac69c4197 |
| SHA1 | da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3 |
| SHA256 | 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326 |
| SHA512 | 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc |