Analysis Overview
SHA256
588648051c60c353b5541b78d13a94a09802d3d332cf5aaf57b4aaf5c02559fa
Threat Level: Shows suspicious behavior
The file 1263d2b17af917e0cafc16054004eac3_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 15:01
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 15:01
Reported
2024-06-26 15:04
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2432 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe |
| PID 2432 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe |
| PID 2432 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python39.dll
| MD5 | 11c051f93c922d6b6b4829772f27a5be |
| SHA1 | 42fbdf3403a4bc3d46d348ca37a9f835e073d440 |
| SHA256 | 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c |
| SHA512 | 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 15:01
Reported
2024-06-26 15:04
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe |
| PID 4468 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1263d2b17af917e0cafc16054004eac3_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:10416 | 2.tcp.ngrok.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI44682\python39.dll
| MD5 | 11c051f93c922d6b6b4829772f27a5be |
| SHA1 | 42fbdf3403a4bc3d46d348ca37a9f835e073d440 |
| SHA256 | 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c |
| SHA512 | 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\base_library.zip
| MD5 | b885535007f6a62ce17401e6d6605121 |
| SHA1 | 2eff535379685dd3889ee75c88952b5882fb346e |
| SHA256 | 57272e17d4d092b5777e6fec87d792c45a2affaa791e8676b064d793d580d5f3 |
| SHA512 | c227cc8f131b01ac6dce1b3bfd01a56e24ea8ac4dd38a1da3619d92bd9b24d100f5e8812c6d5cbfe5beaf28b425147ef16bf150ae8a01ddc710a49f81d376718 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\_ctypes.pyd
| MD5 | 29da9b022c16da461392795951ce32d9 |
| SHA1 | 0e514a8f88395b50e797d481cbbed2b4ae490c19 |
| SHA256 | 3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372 |
| SHA512 | 5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\python3.DLL
| MD5 | 3c88de1ebd52e9fcb46dc44d8a123579 |
| SHA1 | 7d48519d2a19cac871277d9b63a3ea094fbbb3d9 |
| SHA256 | 2b22b6d576118c5ae98f13b75b4ace47ab0c1f4cd3ff098c6aee23a8a99b9a8c |
| SHA512 | 1e55c9f7ac5acf3f7262fa2f3c509ee0875520bb05d65cd68b90671ac70e8c99bce99433b02055c07825285004d4c5915744f17eccfac9b25e0f7cd1bee9e6d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\_socket.pyd
| MD5 | f5dd9c5922a362321978c197d3713046 |
| SHA1 | 4fbc2d3e15f8bb21ecc1bf492f451475204426cd |
| SHA256 | 4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626 |
| SHA512 | ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\select.pyd
| MD5 | 7a442bbcc4b7aa02c762321f39487ba9 |
| SHA1 | 0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83 |
| SHA256 | 1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad |
| SHA512 | 3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\pywintypes39.dll
| MD5 | 72511a9c3a320bcdbeff9bedcf21450f |
| SHA1 | 7a7af481fecbaf144ae67127e334b88f1a2c1562 |
| SHA256 | c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80 |
| SHA512 | 0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\_bz2.pyd
| MD5 | 6c7565c1efffe44cb0616f5b34faa628 |
| SHA1 | 88dd24807da6b6918945201c74467ca75e155b99 |
| SHA256 | fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a |
| SHA512 | 822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\_lzma.pyd
| MD5 | b5355dd319fb3c122bb7bf4598ad7570 |
| SHA1 | d7688576eceadc584388a179eed3155716c26ef5 |
| SHA256 | b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5 |
| SHA512 | 0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\win32api.pyd
| MD5 | 99a3fc100cd43ad8d4bf9a2975a2192f |
| SHA1 | cf37b7e17e51e7823b82b77c88145312df5b78cc |
| SHA256 | 1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7 |
| SHA512 | c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\pythoncom39.dll
| MD5 | 778867d6c0fff726a86dc079e08c4449 |
| SHA1 | 45f9b20f4bf27fc3df9fa0d891ca6d37da4add84 |
| SHA256 | 5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a |
| SHA512 | 5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\_queue.pyd
| MD5 | 4ab2ceb88276eba7e41628387eacb41e |
| SHA1 | 58f7963ba11e1d3942414ef6dab3300a33c8a2bd |
| SHA256 | d82ab111224c54bab3eefdcfeb3ba406d74d2884518c5a2e9174e5c6101bd839 |
| SHA512 | b0d131e356ce35e603acf0168e540c89f600ba2ab2099ccf212e0b295c609702ac4a7b0a7dbc79f46eda50e7ea2cf09917832345dd8562d916d118aba2fa3888 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\unicodedata.pyd
| MD5 | 8320c54418d77eba5d4553a5d6ec27f9 |
| SHA1 | e5123cf166229aebb076b469459856a56fb16d7f |
| SHA256 | 7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae |
| SHA512 | b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\win32event.pyd
| MD5 | 9075789a18d8840a5c440e0226be7405 |
| SHA1 | 60c04fc2f6f82328c552b0460e3567c91554ee2c |
| SHA256 | bf12821fec798cfde4010551e3be4f9aa07d7facb1253c32357bbfa43ed80d8d |
| SHA512 | 24ef97ac9d3b25db16dd3eaa185edc58a43e75dd729c31615c0fa7aa09cc05c61d93297a343f35b24548eb3b0631fb79201c0ea8f36503b5994ad1cdbcf9319c |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\_cffi_backend.cp39-win_amd64.pyd
| MD5 | f5bf6a2926c1106cc6b72dca1157e04f |
| SHA1 | 58875e55b42def38bb748c5f70cd37ae93d44ef2 |
| SHA256 | 3d3aeb22fd97a8bd2fee53412ce43466c76f22a1fd918b769ab6a58bf859d5a2 |
| SHA512 | 95610daabc3c150f606184feb66459e30a3a0b509a7adf40806601d83e821c5d5f5afc2af8d0eb1cad92cabf6d3aff21c9a35094fba1cfa8faed5293a8f2c986 |
C:\Users\Admin\AppData\Local\Temp\_MEI44682\cryptography\hazmat\bindings\_padding.pyd
| MD5 | 6367c1887237fec67b88bb37b90ac8b2 |
| SHA1 | cdcdfaa67d69636082a4eafdc2cc3346fe3c6267 |
| SHA256 | 28a496d00b1f388558b56defa8ebb3db629f01a6ef669782754a7a96cb5a2980 |
| SHA512 | 199dd521daae09c0ceb69dd7b58487294f173b017fcadf5d6121736cc45ee61579fe2f4fbd99c40e3428be55f53846e13bc2622ed61bf35d5d9ca1fd26f29ca0 |