Malware Analysis Report

2024-10-23 18:49

Sample ID 240627-fck3fsvhqn
Target 14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118
SHA256 3dcf1ef8cd50a04198bc7d8392f1512ae50f0fc8f195b98d25831d695826306b
Tags
cobaltstrike backdoor trojan pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dcf1ef8cd50a04198bc7d8392f1512ae50f0fc8f195b98d25831d695826306b

Threat Level: Known bad

The file 14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor trojan pyinstaller

Cobaltstrike

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-27 04:43

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 04:43

Reported

2024-06-27 04:46

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
JP 207.148.112.209:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
JP 207.148.112.209:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 207.148.112.209:443 tcp
JP 207.148.112.209:443 tcp
JP 207.148.112.209:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
JP 207.148.112.209:443 tcp
JP 207.148.112.209:443 tcp
JP 207.148.112.209:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI25602\loader.exe.manifest

MD5 2aeec77fe026972dfb7f8ff8a14dc9c2
SHA1 aa619632e32027b0430c7d8d9e294971ac8e4595
SHA256 3d555efb9aedd7a6444d0366e772db410c3ecd9a2da785c22fb97475b0758fbf
SHA512 f0929def24035123ac1949bd93715c7e80652c301c3514d4e9d731cee6deca0a753c376496f6ae2433bcdfcb537c855c504f0bd44442832b012f52edbc8ac076

C:\Users\Admin\AppData\Local\Temp\_MEI25602\ucrtbase.dll

MD5 126821f73fd9ffce6e091cf9480e1b60
SHA1 d10bbe9b65c2c6f8fca6850d0b79cbc6ef04d691
SHA256 7b28f46f0a09cfd9129109a94b1c16c9c62eef46c09113c4c585d9bf0e69b2da
SHA512 e61ad6c90551022fc257be95f6296a9f7d5a7aeaabd5349d81b1b31ea69b75dc3397698331f363d9fc2b005d9289a06dc1dcc2078e74b52775e0aae64daea36e

C:\Users\Admin\AppData\Local\Temp\_MEI25602\python39.dll

MD5 11c051f93c922d6b6b4829772f27a5be
SHA1 42fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA256 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA512 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

C:\Users\Admin\AppData\Local\Temp\_MEI25602\VCRUNTIME140.dll

MD5 8697c106593e93c11adc34faa483c4a0
SHA1 cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256 ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

C:\Users\Admin\AppData\Local\Temp\_MEI25602\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI25602\select.pyd

MD5 7a442bbcc4b7aa02c762321f39487ba9
SHA1 0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA256 1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA512 3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

memory/1252-999-0x000001DEF6FD0000-0x000001DEF6FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25602\_socket.pyd

MD5 f5dd9c5922a362321978c197d3713046
SHA1 4fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA256 4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512 ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

C:\Users\Admin\AppData\Local\Temp\_MEI25602\_ctypes.pyd

MD5 29da9b022c16da461392795951ce32d9
SHA1 0e514a8f88395b50e797d481cbbed2b4ae490c19
SHA256 3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372
SHA512 5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

C:\Users\Admin\AppData\Local\Temp\_MEI25602\base_library.zip

MD5 81a81220192e1cc8231f0fb84893e8ac
SHA1 381513ca91bb8ea4c237c2220b0b858f1c8bbb86
SHA256 075ec82c1d46cdc2d81d346c9576c73a78547d42076467d5d11a8517850d9b1e
SHA512 7ca97f218f07137bd050d1f562c9c71d9f11ba6b110e1a13092c53b541896c3d349a967525dcfc6d607d6c3c3ed43cb7518620137c4442f2f8ba6d40f0a8fa13

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 04:43

Reported

2024-06-27 04:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\14b8871a783f6d8d8f335b503e6dc7b2_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24842\loader.exe.manifest

MD5 2aeec77fe026972dfb7f8ff8a14dc9c2
SHA1 aa619632e32027b0430c7d8d9e294971ac8e4595
SHA256 3d555efb9aedd7a6444d0366e772db410c3ecd9a2da785c22fb97475b0758fbf
SHA512 f0929def24035123ac1949bd93715c7e80652c301c3514d4e9d731cee6deca0a753c376496f6ae2433bcdfcb537c855c504f0bd44442832b012f52edbc8ac076

C:\Users\Admin\AppData\Local\Temp\_MEI24842\ucrtbase.dll

MD5 126821f73fd9ffce6e091cf9480e1b60
SHA1 d10bbe9b65c2c6f8fca6850d0b79cbc6ef04d691
SHA256 7b28f46f0a09cfd9129109a94b1c16c9c62eef46c09113c4c585d9bf0e69b2da
SHA512 e61ad6c90551022fc257be95f6296a9f7d5a7aeaabd5349d81b1b31ea69b75dc3397698331f363d9fc2b005d9289a06dc1dcc2078e74b52775e0aae64daea36e

C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-localization-l1-2-0.dll

MD5 b402ed77d6f31d825bda175dbc0c4f92
SHA1 1f2a4b8753b3aae225feac5487cc0011b73c0eb7
SHA256 6ed17fb3ca5156b39fbc1ef7d1eefa95e739857607de4cd8d41cecfcd1350705
SHA512 ec04013139f3fd9dbf22b92121d82b2eb97e136f8619790cde2d0b660280e838962f9006d3e4c3a359627b017f2b6ade7edff3bbc26e559c3de37540585602d9

C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-processthreads-l1-1-1.dll

MD5 3d872be898581f00d0310d7ab9abaf2b
SHA1 420e0ab98bb748723130de414f0ffed117ef3f7e
SHA256 4de821884cbef4182b29d8c33cfe13e43e130ad58ee1281679e8d40a2edcb8ea
SHA512 35cfb9888a5f4299403a0d9c57f0ba79e3625431a9acc5e04ae2ae101b3dc521a0dcff5d4a1bf508b25dbf05dd432f6987d860ff494d15538ed95673a8b7376b

C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-file-l1-2-0.dll

MD5 9d8413744097196f92327f632a85acee
SHA1 dfc07f5e5a0634dd1f15fdc9ff9731748fbff919
SHA256 6878d8168d5cc159efe58f14e5ba10310d99b53ab8495521e54c966994dac50b
SHA512 a8f6e9ee1c5d65f68b8b20d406d3e666c186e15cb3b92575257b5637fe7dd5ac7d75e9ad51c839ba4490512f68f6b48822fc9edd316dd7625d3627d3b975fb2a

C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-timezone-l1-1-0.dll

MD5 6c180c8de3ecf27de7a5812ff055737e
SHA1 3aad20b71bb374bb2c5f7431a1b75b60956a01fd
SHA256 630466fd77ac7009c947a8370a0d0c20652169824c54ddcb8c05e8df45e23197
SHA512 e4aa79eb2b6b3be9b545e8cb8b43cd6052036dc5cce7077be40441b9942931b30d76c475d550a178d4e94c9c366cabc852f500e482b7fdcd361fc2a08e41c00e

C:\Users\Admin\AppData\Local\Temp\_MEI24842\api-ms-win-core-file-l2-1-0.dll

MD5 361c6bcfcea263749419b0fbed7a0ce8
SHA1 03db13108ce9d5fc01cecf3199619ffbccbd855a
SHA256 b74aefd6fa638be3f415165c8109121a2093597421101abc312ee7ffa1130278
SHA512 aa8b585000cc65f9841b938e4523d91d8f6db650e0b4bb11efd740c27309bf81cdb77f05d0beda2489bf26f4fbc6d02c93ce3b64946502e2c044eea89696cc76

C:\Users\Admin\AppData\Local\Temp\_MEI24842\python39.dll

MD5 11c051f93c922d6b6b4829772f27a5be
SHA1 42fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA256 0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA512 1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6