Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • submitted
    31/10/2024, 02:26

General

  • Target

    8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    8134e598125e14e6bd192b3bf1a5fa85

  • SHA1

    e6d8f38208f789e5880085c43db65ddb0422df67

  • SHA256

    e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d

  • SHA512

    354dc28b7ebd1be9c1573937c19cce482872908237d90d53c0feac4db3b4d4b8f066bcd3a43088ccdb62b2da8c305ec0912bb8aaf373fdc6d07f3f18293c8ad8

  • SSDEEP

    6144:lIfYOMlH5bmfynhMTMYX5evvwo86JQPDHDdx/Qtq8:ToWhMwYX5e3hPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

  • Pykspa family
  • UAC bypass 3 TTPs 12 IoCs
  • Detect Pykspa worm 1 IoCs
  • Adds policy Run key to start application 2 TTPs 24 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\gntykk.exe
      "C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:1008
    • C:\Users\Admin\AppData\Local\Temp\gntykk.exe
      "C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3036

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          2ff93e17adbef39f5140fd7584782fab

          SHA1

          0d583f223aa0dc9212ce5921adcac454824130d5

          SHA256

          d17f03b074275a9fb904b6c96d67f59d4e8da294a70b74c9007697566505f3b7

          SHA512

          46609c0e4848986ce4c67b33bc249b4179d906a58d08aa226c1dcf3246daefed2b73d00da0f37b3776bc70d49c1eb5653725caa4ea06c0e0dbac77821020de33

        • C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          cd20324b24c3a3316dcc9c8a147f451a

          SHA1

          3d19be4a7ff3aef1dd401bc308573fa98fb87727

          SHA256

          255a779d72156d8c622ea472ae23b52f9f4974ef1c2055848bc68f546ad6447a

          SHA512

          9a29adaa3dbd250c0fc07cada4a85ebc71efdf946ce277c54d77bb46c177dc0c3eb40d133df193425a66233732c891ff4323d969d239ca6ab9b2d4c0407ce66f

        • C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          b5eb3ceb015e29461b685708ee3b0d1f

          SHA1

          aa08ab133785cff5a06810db1fce2d6555d85d13

          SHA256

          6314329d3951efe28ac1e910a8ec88bf0010bdc480de4cb2fcda649697bce504

          SHA512

          67045daaae4839b04bb077832197189ffd3276b22e1d64b9dc6fcc7e53418a25f20948624fe42df504f806df064f07f98f81624cd3e003e608fd6380f0a48b54

        • C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          2361d686cc863f817dd97006fcf2137a

          SHA1

          f045f6a650fc9e2f44ac072de1c88c080cf73e76

          SHA256

          348f23df7d8ac548d30541068e9e950a3739bab9008bb1113f4477c3c7836434

          SHA512

          5e329a1f5f15e6a444ff62062caf34044f74e24d15188c61fc3ea81ca802a441efbea7be3e51a75b456ff268aed23f80a23349ded5901fbe8a6d990143f171be

        • C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          edb7fb7176f0e98a66d508e5d12cc3db

          SHA1

          c31ee5476ff54d4b496ada6f49614a7d0481b2d8

          SHA256

          abb9203da8d05c5a4dcbbf13752dc4cb971c81ce95ad7a84e69dbb3c40ab60b7

          SHA512

          7f0b80a63390a78a34dd25738e612d93140cc1feb664c51c2c60511e8090de4230b9506492eeb7c795a21203626ef8adb72346a1efc99faae5d5855787cb0f72

        • C:\Users\Admin\AppData\Local\sdnwmqdkaguglmlfwmqblukobiyesejk.duk

          Filesize

          3KB

          MD5

          1d6c0d0e16bab99e4caea6ea96941e50

          SHA1

          7bff05a7036caefad80a8f27459ae108561e27c9

          SHA256

          3194dbf98acdca12cb762156ee650a292cb23b541ac5632aff70ee12f2973ac4

          SHA512

          78712a27c57ac941d7b137a0d2313c442526a9838f5ad300146f1aed34f9420aae5d1321667e12179a3de9b18cf97de9e1090f20d957144be44bb774ba48d21d

        • C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          72eb2d192442aa4f87d720f94a739bef

          SHA1

          b6e01dbf4f0cd73c5d7d2907a51297d179f31645

          SHA256

          e6528ebd23c36be58345c31b71f7d8f66db8b30437d448b822664ee26a032393

          SHA512

          c46a549bbef7a447b08d9a83595244c469faeb05266e8f9b96b210368c6d29c0f5e6d1243c198696f89e8a02915444dd174c7fd0974e82f33222618135b8766d

        • C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          a64dc1cf41b9c06ea08707fd1170a94e

          SHA1

          87e8fb1d26b856740d39df1de2c17e4fe99ba900

          SHA256

          b867fed39402e3ba1114cdb4991fb087882635ea8ed49577b74c359b77be97c9

          SHA512

          708ef8f57fbd5ece43e0dd32ddff1ccdc7593804abfa3b7deebabd361003b82861133401eb713c575e5a14410aa3bcbc9c24514ca582b95a729248c798c50686

        • C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac

          Filesize

          272B

          MD5

          d59af82888de7665ca41a85b16bc2fb8

          SHA1

          c76261fee4f9081ab1e8b8e69b506458143a3ec0

          SHA256

          71f1ba6620a286e34c686296940935510838b54c25d9a0d81c233b55f38ed1d8

          SHA512

          b6314aba624ce3f3d68c30053d6d83e69a03b150cf43012bb7324914a16b79fa97d618ed4dfecc92df7cf65b7753c7ee3eb1758b26027f9eeaaa1ceb2fbae3a4

        • \Users\Admin\AppData\Local\Temp\gntykk.exe

          Filesize

          596KB

          MD5

          23da8c70234ad82083977a176f7b182b

          SHA1

          6ec55e256151e2b0e20bfafd3b9c5dfa8a30a831

          SHA256

          51ecf28c3dfe6429007902f96dc2abb319ff296ae39b492ef9e89f4dc2d32e04

          SHA512

          614340e77fa26cc9d89ee1aa622a28e50f7baa3fe8a1769760398f2c8f9d58c91d11376f9975e506ca0b55281d65d35fb7082edc51163a4f7385c31ac76568d3