Malware Analysis Report

2025-06-15 20:56

Sample ID 240526-bzl6taaa9y
Target 73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118
SHA256 bd69918ba5c2bde593638d10407c5bc3999a1da4ba11c27c7fe95b6264e27358
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bd69918ba5c2bde593638d10407c5bc3999a1da4ba11c27c7fe95b6264e27358

Threat Level: Shows suspicious behavior

The file 73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-26 01:34

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 01:34

Reported

2024-05-26 01:37

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\ = "Fightcade" C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\ C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open\ C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\URL Protocol C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open\command C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fcade\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29602\python27.dll

MD5 ceb92a7366bd07a460c98303385ef9c4
SHA1 e91ef3e144ef17b6acc0c645caf0d4262b1f67dc
SHA256 cdbb2b0eb55004276cfdf563ee7a0fbdb3cacbf8609334847bd13c1833bb31bc
SHA512 6b24b5143b2fb95af6cf567b6ead27bee3f2b1e35727861385199e7f23edc3675423961a2d9a0ffbb686f1d2fc148f246f4381b1b3af0eecd7e8747dedb8088d

\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pyd

MD5 6daf8b55801a602f84d7d568a142459c
SHA1 57a80ca9621b282727d45caa5ae1c5e3c7e93f60
SHA256 66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88
SHA512 abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e

\Users\Admin\AppData\Local\Temp\_MEI29~1\_socket.pyd

MD5 3986998b3753483f8b28c721fef6f8e4
SHA1 2ef3c0fac94c85276721ee2980f49b1bafef597d
SHA256 cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000
SHA512 258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6

\Users\Admin\AppData\Local\Temp\_MEI29~1\_ssl.pyd

MD5 9be53b53c1ec6b56663f45464edfcde9
SHA1 f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55
SHA256 b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda
SHA512 a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b

C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_hashlib.pyd

MD5 55a29ec9721c509a5b20d1a037726cfa
SHA1 eaba230581d7b46f316d6603ea15c1e3c9740d04
SHA256 dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce
SHA512 e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3

\Users\Admin\AppData\Local\Temp\_MEI29~1\select.pyd

MD5 e6ecff0d1588fed3a61edc1a1a5eb9bb
SHA1 2a3913a69dbdda8aefbe1f290753435979791a37
SHA256 345969d43b33717415bd5796d5a7b266592dc79a96543714828ff8fc1f249d18
SHA512 f59b356833840126f31f70ddb0e7f661db8528d82aa9450e299b81fe5adda35d44f3bceb52fb27e6843cf497211470f439a232c73245f8c606b31cb13322cd6f

\Users\Admin\AppData\Local\Temp\_MEI29~1\bz2.pyd

MD5 813c016e2898c6a2c1825b586de0ae61
SHA1 7113efcccb6ab047cdfdb65ba4241980c88196f4
SHA256 693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724
SHA512 dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

\Users\Admin\AppData\Local\Temp\_MEI29~1\unicodedata.pyd

MD5 a46e180e03ab5c2d802b8e6214067500
SHA1 5de5efbce2e6e81b6b954b843090b387b7ba927e
SHA256 689e5061cefda6223477a6a05906a500d59bd1b2a7458730b8d43c9d3b43bdba
SHA512 68bd7ae714fb4f117eb53a0fb968083772aaeaa6428ae8510e5c109361b140c98415a1955fca49db3e9e1b6ae19909e9c50110f499306476d01141c479c16335

\Users\Admin\AppData\Local\Temp\_MEI29~1\psutil._psutil_windows.pyd

MD5 a111ff7c807b19406da97c7df827a789
SHA1 2753625ca7112a4a785a594473d534892adb55f1
SHA256 8d178f3ff30f972f182056cc96faeff26b9bbaea0666ed7e13d3ec2c30765d92
SHA512 fafdf88d9c0b363c047461bb9a6e44481b5c44ad868d59773805f73b4e4cb4488591e4421b48eb7cd18d9640fae03505cbb5ee78dbd8c61dcb6443ab51da6f0f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 01:34

Reported

2024-05-26 01:37

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\URL Protocol C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open\ C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\ = "Fightcade" C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\ C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\fcade\shell\open\command C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73ee6681043bed0a66e411cbfd6e84f5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI19882\python27.dll

MD5 ceb92a7366bd07a460c98303385ef9c4
SHA1 e91ef3e144ef17b6acc0c645caf0d4262b1f67dc
SHA256 cdbb2b0eb55004276cfdf563ee7a0fbdb3cacbf8609334847bd13c1833bb31bc
SHA512 6b24b5143b2fb95af6cf567b6ead27bee3f2b1e35727861385199e7f23edc3675423961a2d9a0ffbb686f1d2fc148f246f4381b1b3af0eecd7e8747dedb8088d

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_ctypes.pyd

MD5 6daf8b55801a602f84d7d568a142459c
SHA1 57a80ca9621b282727d45caa5ae1c5e3c7e93f60
SHA256 66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88
SHA512 abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_socket.pyd

MD5 3986998b3753483f8b28c721fef6f8e4
SHA1 2ef3c0fac94c85276721ee2980f49b1bafef597d
SHA256 cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000
SHA512 258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\select.pyd

MD5 e6ecff0d1588fed3a61edc1a1a5eb9bb
SHA1 2a3913a69dbdda8aefbe1f290753435979791a37
SHA256 345969d43b33717415bd5796d5a7b266592dc79a96543714828ff8fc1f249d18
SHA512 f59b356833840126f31f70ddb0e7f661db8528d82aa9450e299b81fe5adda35d44f3bceb52fb27e6843cf497211470f439a232c73245f8c606b31cb13322cd6f

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_hashlib.pyd

MD5 55a29ec9721c509a5b20d1a037726cfa
SHA1 eaba230581d7b46f316d6603ea15c1e3c9740d04
SHA256 dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce
SHA512 e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_ssl.pyd

MD5 9be53b53c1ec6b56663f45464edfcde9
SHA1 f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55
SHA256 b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda
SHA512 a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\bz2.pyd

MD5 813c016e2898c6a2c1825b586de0ae61
SHA1 7113efcccb6ab047cdfdb65ba4241980c88196f4
SHA256 693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724
SHA512 dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\unicodedata.pyd

MD5 a46e180e03ab5c2d802b8e6214067500
SHA1 5de5efbce2e6e81b6b954b843090b387b7ba927e
SHA256 689e5061cefda6223477a6a05906a500d59bd1b2a7458730b8d43c9d3b43bdba
SHA512 68bd7ae714fb4f117eb53a0fb968083772aaeaa6428ae8510e5c109361b140c98415a1955fca49db3e9e1b6ae19909e9c50110f499306476d01141c479c16335

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\psutil._psutil_windows.pyd

MD5 a111ff7c807b19406da97c7df827a789
SHA1 2753625ca7112a4a785a594473d534892adb55f1
SHA256 8d178f3ff30f972f182056cc96faeff26b9bbaea0666ed7e13d3ec2c30765d92
SHA512 fafdf88d9c0b363c047461bb9a6e44481b5c44ad868d59773805f73b4e4cb4488591e4421b48eb7cd18d9640fae03505cbb5ee78dbd8c61dcb6443ab51da6f0f