Malware Analysis Report

2025-05-05 21:13

Sample ID 240626-sd5jpssejq
Target 1263d2b17af917e0cafc16054004eac3_JaffaCakes118
SHA256 588648051c60c353b5541b78d13a94a09802d3d332cf5aaf57b4aaf5c02559fa
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

588648051c60c353b5541b78d13a94a09802d3d332cf5aaf57b4aaf5c02559fa

Threat Level: Shows suspicious behavior

The file 1263d2b17af917e0cafc16054004eac3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 15:01

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 15:01

Reported

2024-06-26 15:04

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24322\python39.dll

MD5 11c051f93c922d6b6b4829772f27a5be
SHA1 42fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA256 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA512 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 15:01

Reported

2024-06-26 15:04

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.ngrok.io N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.ngrok.io udp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp
US 3.22.53.161:10416 2.tcp.ngrok.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI44682\python39.dll

MD5 11c051f93c922d6b6b4829772f27a5be
SHA1 42fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA256 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA512 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

C:\Users\Admin\AppData\Local\Temp\_MEI44682\VCRUNTIME140.dll

MD5 8697c106593e93c11adc34faa483c4a0
SHA1 cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256 ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

C:\Users\Admin\AppData\Local\Temp\_MEI44682\base_library.zip

MD5 b885535007f6a62ce17401e6d6605121
SHA1 2eff535379685dd3889ee75c88952b5882fb346e
SHA256 57272e17d4d092b5777e6fec87d792c45a2affaa791e8676b064d793d580d5f3
SHA512 c227cc8f131b01ac6dce1b3bfd01a56e24ea8ac4dd38a1da3619d92bd9b24d100f5e8812c6d5cbfe5beaf28b425147ef16bf150ae8a01ddc710a49f81d376718

C:\Users\Admin\AppData\Local\Temp\_MEI44682\_ctypes.pyd

MD5 29da9b022c16da461392795951ce32d9
SHA1 0e514a8f88395b50e797d481cbbed2b4ae490c19
SHA256 3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372
SHA512 5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

C:\Users\Admin\AppData\Local\Temp\_MEI44682\python3.DLL

MD5 3c88de1ebd52e9fcb46dc44d8a123579
SHA1 7d48519d2a19cac871277d9b63a3ea094fbbb3d9
SHA256 2b22b6d576118c5ae98f13b75b4ace47ab0c1f4cd3ff098c6aee23a8a99b9a8c
SHA512 1e55c9f7ac5acf3f7262fa2f3c509ee0875520bb05d65cd68b90671ac70e8c99bce99433b02055c07825285004d4c5915744f17eccfac9b25e0f7cd1bee9e6d3

C:\Users\Admin\AppData\Local\Temp\_MEI44682\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI44682\_socket.pyd

MD5 f5dd9c5922a362321978c197d3713046
SHA1 4fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA256 4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512 ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

C:\Users\Admin\AppData\Local\Temp\_MEI44682\select.pyd

MD5 7a442bbcc4b7aa02c762321f39487ba9
SHA1 0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA256 1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA512 3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

C:\Users\Admin\AppData\Local\Temp\_MEI44682\pywintypes39.dll

MD5 72511a9c3a320bcdbeff9bedcf21450f
SHA1 7a7af481fecbaf144ae67127e334b88f1a2c1562
SHA256 c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80
SHA512 0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868

C:\Users\Admin\AppData\Local\Temp\_MEI44682\_bz2.pyd

MD5 6c7565c1efffe44cb0616f5b34faa628
SHA1 88dd24807da6b6918945201c74467ca75e155b99
SHA256 fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a
SHA512 822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22

C:\Users\Admin\AppData\Local\Temp\_MEI44682\_lzma.pyd

MD5 b5355dd319fb3c122bb7bf4598ad7570
SHA1 d7688576eceadc584388a179eed3155716c26ef5
SHA256 b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5
SHA512 0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5

C:\Users\Admin\AppData\Local\Temp\_MEI44682\win32api.pyd

MD5 99a3fc100cd43ad8d4bf9a2975a2192f
SHA1 cf37b7e17e51e7823b82b77c88145312df5b78cc
SHA256 1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7
SHA512 c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2

C:\Users\Admin\AppData\Local\Temp\_MEI44682\pythoncom39.dll

MD5 778867d6c0fff726a86dc079e08c4449
SHA1 45f9b20f4bf27fc3df9fa0d891ca6d37da4add84
SHA256 5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a
SHA512 5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea

C:\Users\Admin\AppData\Local\Temp\_MEI44682\_queue.pyd

MD5 4ab2ceb88276eba7e41628387eacb41e
SHA1 58f7963ba11e1d3942414ef6dab3300a33c8a2bd
SHA256 d82ab111224c54bab3eefdcfeb3ba406d74d2884518c5a2e9174e5c6101bd839
SHA512 b0d131e356ce35e603acf0168e540c89f600ba2ab2099ccf212e0b295c609702ac4a7b0a7dbc79f46eda50e7ea2cf09917832345dd8562d916d118aba2fa3888

C:\Users\Admin\AppData\Local\Temp\_MEI44682\unicodedata.pyd

MD5 8320c54418d77eba5d4553a5d6ec27f9
SHA1 e5123cf166229aebb076b469459856a56fb16d7f
SHA256 7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae
SHA512 b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34

C:\Users\Admin\AppData\Local\Temp\_MEI44682\win32event.pyd

MD5 9075789a18d8840a5c440e0226be7405
SHA1 60c04fc2f6f82328c552b0460e3567c91554ee2c
SHA256 bf12821fec798cfde4010551e3be4f9aa07d7facb1253c32357bbfa43ed80d8d
SHA512 24ef97ac9d3b25db16dd3eaa185edc58a43e75dd729c31615c0fa7aa09cc05c61d93297a343f35b24548eb3b0631fb79201c0ea8f36503b5994ad1cdbcf9319c

C:\Users\Admin\AppData\Local\Temp\_MEI44682\_cffi_backend.cp39-win_amd64.pyd

MD5 f5bf6a2926c1106cc6b72dca1157e04f
SHA1 58875e55b42def38bb748c5f70cd37ae93d44ef2
SHA256 3d3aeb22fd97a8bd2fee53412ce43466c76f22a1fd918b769ab6a58bf859d5a2
SHA512 95610daabc3c150f606184feb66459e30a3a0b509a7adf40806601d83e821c5d5f5afc2af8d0eb1cad92cabf6d3aff21c9a35094fba1cfa8faed5293a8f2c986

C:\Users\Admin\AppData\Local\Temp\_MEI44682\cryptography\hazmat\bindings\_padding.pyd

MD5 6367c1887237fec67b88bb37b90ac8b2
SHA1 cdcdfaa67d69636082a4eafdc2cc3346fe3c6267
SHA256 28a496d00b1f388558b56defa8ebb3db629f01a6ef669782754a7a96cb5a2980
SHA512 199dd521daae09c0ceb69dd7b58487294f173b017fcadf5d6121736cc45ee61579fe2f4fbd99c40e3428be55f53846e13bc2622ed61bf35d5d9ca1fd26f29ca0