Analysis Overview
SHA256
3dcf1ef8cd50a04198bc7d8392f1512ae50f0fc8f195b98d25831d695826306b
Threat Level: Known bad
The file 14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-27 04:43
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 04:43
Reported
2024-06-27 04:46
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2560 wrote to memory of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe |
| PID 2560 wrote to memory of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| JP | 207.148.112.209:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| JP | 207.148.112.209:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 207.148.112.209:443 | tcp | |
| JP | 207.148.112.209:443 | tcp | |
| JP | 207.148.112.209:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| JP | 207.148.112.209:443 | tcp | |
| JP | 207.148.112.209:443 | tcp | |
| JP | 207.148.112.209:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI25602\loader.exe.manifest
| MD5 | 2aeec77fe026972dfb7f8ff8a14dc9c2 |
| SHA1 | aa619632e32027b0430c7d8d9e294971ac8e4595 |
| SHA256 | 3d555efb9aedd7a6444d0366e772db410c3ecd9a2da785c22fb97475b0758fbf |
| SHA512 | f0929def24035123ac1949bd93715c7e80652c301c3514d4e9d731cee6deca0a753c376496f6ae2433bcdfcb537c855c504f0bd44442832b012f52edbc8ac076 |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\ucrtbase.dll
| MD5 | 126821f73fd9ffce6e091cf9480e1b60 |
| SHA1 | d10bbe9b65c2c6f8fca6850d0b79cbc6ef04d691 |
| SHA256 | 7b28f46f0a09cfd9129109a94b1c16c9c62eef46c09113c4c585d9bf0e69b2da |
| SHA512 | e61ad6c90551022fc257be95f6296a9f7d5a7aeaabd5349d81b1b31ea69b75dc3397698331f363d9fc2b005d9289a06dc1dcc2078e74b52775e0aae64daea36e |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\python39.dll
| MD5 | 11c051f93c922d6b6b4829772f27a5be |
| SHA1 | 42fbdf3403a4bc3d46d348ca37a9f835e073d440 |
| SHA256 | 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c |
| SHA512 | 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\select.pyd
| MD5 | 7a442bbcc4b7aa02c762321f39487ba9 |
| SHA1 | 0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83 |
| SHA256 | 1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad |
| SHA512 | 3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c |
memory/1252-999-0x000001DEF6FD0000-0x000001DEF6FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_socket.pyd
| MD5 | f5dd9c5922a362321978c197d3713046 |
| SHA1 | 4fbc2d3e15f8bb21ecc1bf492f451475204426cd |
| SHA256 | 4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626 |
| SHA512 | ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99 |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_ctypes.pyd
| MD5 | 29da9b022c16da461392795951ce32d9 |
| SHA1 | 0e514a8f88395b50e797d481cbbed2b4ae490c19 |
| SHA256 | 3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372 |
| SHA512 | 5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a |
C:\Users\Admin\AppData\Local\Temp\_MEI25602\base_library.zip
| MD5 | 81a81220192e1cc8231f0fb84893e8ac |
| SHA1 | 381513ca91bb8ea4c237c2220b0b858f1c8bbb86 |
| SHA256 | 075ec82c1d46cdc2d81d346c9576c73a78547d42076467d5d11a8517850d9b1e |
| SHA512 | 7ca97f218f07137bd050d1f562c9c71d9f11ba6b110e1a13092c53b541896c3d349a967525dcfc6d607d6c3c3ed43cb7518620137c4442f2f8ba6d40f0a8fa13 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 04:43
Reported
2024-06-27 04:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe |
| PID 2484 wrote to memory of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe |
| PID 2484 wrote to memory of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24842\loader.exe.manifest
| MD5 | 2aeec77fe026972dfb7f8ff8a14dc9c2 |
| SHA1 | aa619632e32027b0430c7d8d9e294971ac8e4595 |
| SHA256 | 3d555efb9aedd7a6444d0366e772db410c3ecd9a2da785c22fb97475b0758fbf |
| SHA512 | f0929def24035123ac1949bd93715c7e80652c301c3514d4e9d731cee6deca0a753c376496f6ae2433bcdfcb537c855c504f0bd44442832b012f52edbc8ac076 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\ucrtbase.dll
| MD5 | 126821f73fd9ffce6e091cf9480e1b60 |
| SHA1 | d10bbe9b65c2c6f8fca6850d0b79cbc6ef04d691 |
| SHA256 | 7b28f46f0a09cfd9129109a94b1c16c9c62eef46c09113c4c585d9bf0e69b2da |
| SHA512 | e61ad6c90551022fc257be95f6296a9f7d5a7aeaabd5349d81b1b31ea69b75dc3397698331f363d9fc2b005d9289a06dc1dcc2078e74b52775e0aae64daea36e |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-localization-l1-2-0.dll
| MD5 | b402ed77d6f31d825bda175dbc0c4f92 |
| SHA1 | 1f2a4b8753b3aae225feac5487cc0011b73c0eb7 |
| SHA256 | 6ed17fb3ca5156b39fbc1ef7d1eefa95e739857607de4cd8d41cecfcd1350705 |
| SHA512 | ec04013139f3fd9dbf22b92121d82b2eb97e136f8619790cde2d0b660280e838962f9006d3e4c3a359627b017f2b6ade7edff3bbc26e559c3de37540585602d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 3d872be898581f00d0310d7ab9abaf2b |
| SHA1 | 420e0ab98bb748723130de414f0ffed117ef3f7e |
| SHA256 | 4de821884cbef4182b29d8c33cfe13e43e130ad58ee1281679e8d40a2edcb8ea |
| SHA512 | 35cfb9888a5f4299403a0d9c57f0ba79e3625431a9acc5e04ae2ae101b3dc521a0dcff5d4a1bf508b25dbf05dd432f6987d860ff494d15538ed95673a8b7376b |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-file-l1-2-0.dll
| MD5 | 9d8413744097196f92327f632a85acee |
| SHA1 | dfc07f5e5a0634dd1f15fdc9ff9731748fbff919 |
| SHA256 | 6878d8168d5cc159efe58f14e5ba10310d99b53ab8495521e54c966994dac50b |
| SHA512 | a8f6e9ee1c5d65f68b8b20d406d3e666c186e15cb3b92575257b5637fe7dd5ac7d75e9ad51c839ba4490512f68f6b48822fc9edd316dd7625d3627d3b975fb2a |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 6c180c8de3ecf27de7a5812ff055737e |
| SHA1 | 3aad20b71bb374bb2c5f7431a1b75b60956a01fd |
| SHA256 | 630466fd77ac7009c947a8370a0d0c20652169824c54ddcb8c05e8df45e23197 |
| SHA512 | e4aa79eb2b6b3be9b545e8cb8b43cd6052036dc5cce7077be40441b9942931b30d76c475d550a178d4e94c9c366cabc852f500e482b7fdcd361fc2a08e41c00e |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-file-l2-1-0.dll
| MD5 | 361c6bcfcea263749419b0fbed7a0ce8 |
| SHA1 | 03db13108ce9d5fc01cecf3199619ffbccbd855a |
| SHA256 | b74aefd6fa638be3f415165c8109121a2093597421101abc312ee7ffa1130278 |
| SHA512 | aa8b585000cc65f9841b938e4523d91d8f6db650e0b4bb11efd740c27309bf81cdb77f05d0beda2489bf26f4fbc6d02c93ce3b64946502e2c044eea89696cc76 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\python39.dll
| MD5 | 11c051f93c922d6b6b4829772f27a5be |
| SHA1 | 42fbdf3403a4bc3d46d348ca37a9f835e073d440 |
| SHA256 | 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c |
| SHA512 | 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6 |