Analysis Overview
SHA256
bd69918ba5c2bde593638d10407c5bc3999a1da4ba11c27c7fe95b6264e27358
Threat Level: Shows suspicious behavior
The file 73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-26 01:34
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 01:34
Reported
2024-05-26 01:37
Platform
win7-20231129-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\ = "Fightcade" | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\ | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open\ | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\URL Protocol | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open\command | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
| PID 2960 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
| PID 2960 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
| PID 2960 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29602\python27.dll
| MD5 | ceb92a7366bd07a460c98303385ef9c4 |
| SHA1 | e91ef3e144ef17b6acc0c645caf0d4262b1f67dc |
| SHA256 | cdbb2b0eb55004276cfdf563ee7a0fbdb3cacbf8609334847bd13c1833bb31bc |
| SHA512 | 6b24b5143b2fb95af6cf567b6ead27bee3f2b1e35727861385199e7f23edc3675423961a2d9a0ffbb686f1d2fc148f246f4381b1b3af0eecd7e8747dedb8088d |
\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pyd
| MD5 | 6daf8b55801a602f84d7d568a142459c |
| SHA1 | 57a80ca9621b282727d45caa5ae1c5e3c7e93f60 |
| SHA256 | 66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88 |
| SHA512 | abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e |
\Users\Admin\AppData\Local\Temp\_MEI29~1\_socket.pyd
| MD5 | 3986998b3753483f8b28c721fef6f8e4 |
| SHA1 | 2ef3c0fac94c85276721ee2980f49b1bafef597d |
| SHA256 | cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000 |
| SHA512 | 258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6 |
\Users\Admin\AppData\Local\Temp\_MEI29~1\_ssl.pyd
| MD5 | 9be53b53c1ec6b56663f45464edfcde9 |
| SHA1 | f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55 |
| SHA256 | b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda |
| SHA512 | a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b |
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_hashlib.pyd
| MD5 | 55a29ec9721c509a5b20d1a037726cfa |
| SHA1 | eaba230581d7b46f316d6603ea15c1e3c9740d04 |
| SHA256 | dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce |
| SHA512 | e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3 |
\Users\Admin\AppData\Local\Temp\_MEI29~1\select.pyd
| MD5 | e6ecff0d1588fed3a61edc1a1a5eb9bb |
| SHA1 | 2a3913a69dbdda8aefbe1f290753435979791a37 |
| SHA256 | 345969d43b33717415bd5796d5a7b266592dc79a96543714828ff8fc1f249d18 |
| SHA512 | f59b356833840126f31f70ddb0e7f661db8528d82aa9450e299b81fe5adda35d44f3bceb52fb27e6843cf497211470f439a232c73245f8c606b31cb13322cd6f |
\Users\Admin\AppData\Local\Temp\_MEI29~1\bz2.pyd
| MD5 | 813c016e2898c6a2c1825b586de0ae61 |
| SHA1 | 7113efcccb6ab047cdfdb65ba4241980c88196f4 |
| SHA256 | 693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724 |
| SHA512 | dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad |
\Users\Admin\AppData\Local\Temp\_MEI29~1\unicodedata.pyd
| MD5 | a46e180e03ab5c2d802b8e6214067500 |
| SHA1 | 5de5efbce2e6e81b6b954b843090b387b7ba927e |
| SHA256 | 689e5061cefda6223477a6a05906a500d59bd1b2a7458730b8d43c9d3b43bdba |
| SHA512 | 68bd7ae714fb4f117eb53a0fb968083772aaeaa6428ae8510e5c109361b140c98415a1955fca49db3e9e1b6ae19909e9c50110f499306476d01141c479c16335 |
\Users\Admin\AppData\Local\Temp\_MEI29~1\psutil._psutil_windows.pyd
| MD5 | a111ff7c807b19406da97c7df827a789 |
| SHA1 | 2753625ca7112a4a785a594473d534892adb55f1 |
| SHA256 | 8d178f3ff30f972f182056cc96faeff26b9bbaea0666ed7e13d3ec2c30765d92 |
| SHA512 | fafdf88d9c0b363c047461bb9a6e44481b5c44ad868d59773805f73b4e4cb4488591e4421b48eb7cd18d9640fae03505cbb5ee78dbd8c61dcb6443ab51da6f0f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 01:34
Reported
2024-05-26 01:37
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\URL Protocol | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open\ | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\ = "Fightcade" | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\ | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open\command | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
| PID 1988 wrote to memory of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
| PID 1988 wrote to memory of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI19882\python27.dll
| MD5 | ceb92a7366bd07a460c98303385ef9c4 |
| SHA1 | e91ef3e144ef17b6acc0c645caf0d4262b1f67dc |
| SHA256 | cdbb2b0eb55004276cfdf563ee7a0fbdb3cacbf8609334847bd13c1833bb31bc |
| SHA512 | 6b24b5143b2fb95af6cf567b6ead27bee3f2b1e35727861385199e7f23edc3675423961a2d9a0ffbb686f1d2fc148f246f4381b1b3af0eecd7e8747dedb8088d |
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_ctypes.pyd
| MD5 | 6daf8b55801a602f84d7d568a142459c |
| SHA1 | 57a80ca9621b282727d45caa5ae1c5e3c7e93f60 |
| SHA256 | 66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88 |
| SHA512 | abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e |
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_socket.pyd
| MD5 | 3986998b3753483f8b28c721fef6f8e4 |
| SHA1 | 2ef3c0fac94c85276721ee2980f49b1bafef597d |
| SHA256 | cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000 |
| SHA512 | 258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6 |
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\select.pyd
| MD5 | e6ecff0d1588fed3a61edc1a1a5eb9bb |
| SHA1 | 2a3913a69dbdda8aefbe1f290753435979791a37 |
| SHA256 | 345969d43b33717415bd5796d5a7b266592dc79a96543714828ff8fc1f249d18 |
| SHA512 | f59b356833840126f31f70ddb0e7f661db8528d82aa9450e299b81fe5adda35d44f3bceb52fb27e6843cf497211470f439a232c73245f8c606b31cb13322cd6f |
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_hashlib.pyd
| MD5 | 55a29ec9721c509a5b20d1a037726cfa |
| SHA1 | eaba230581d7b46f316d6603ea15c1e3c9740d04 |
| SHA256 | dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce |
| SHA512 | e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3 |
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_ssl.pyd
| MD5 | 9be53b53c1ec6b56663f45464edfcde9 |
| SHA1 | f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55 |
| SHA256 | b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda |
| SHA512 | a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b |
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\bz2.pyd
| MD5 | 813c016e2898c6a2c1825b586de0ae61 |
| SHA1 | 7113efcccb6ab047cdfdb65ba4241980c88196f4 |
| SHA256 | 693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724 |
| SHA512 | dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad |
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\unicodedata.pyd
| MD5 | a46e180e03ab5c2d802b8e6214067500 |
| SHA1 | 5de5efbce2e6e81b6b954b843090b387b7ba927e |
| SHA256 | 689e5061cefda6223477a6a05906a500d59bd1b2a7458730b8d43c9d3b43bdba |
| SHA512 | 68bd7ae714fb4f117eb53a0fb968083772aaeaa6428ae8510e5c109361b140c98415a1955fca49db3e9e1b6ae19909e9c50110f499306476d01141c479c16335 |
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\psutil._psutil_windows.pyd
| MD5 | a111ff7c807b19406da97c7df827a789 |
| SHA1 | 2753625ca7112a4a785a594473d534892adb55f1 |
| SHA256 | 8d178f3ff30f972f182056cc96faeff26b9bbaea0666ed7e13d3ec2c30765d92 |
| SHA512 | fafdf88d9c0b363c047461bb9a6e44481b5c44ad868d59773805f73b4e4cb4488591e4421b48eb7cd18d9640fae03505cbb5ee78dbd8c61dcb6443ab51da6f0f |