Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • submitted
    31/10/2024, 02:26

General

  • Target

    8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    8134e598125e14e6bd192b3bf1a5fa85

  • SHA1

    e6d8f38208f789e5880085c43db65ddb0422df67

  • SHA256

    e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d

  • SHA512

    354dc28b7ebd1be9c1573937c19cce482872908237d90d53c0feac4db3b4d4b8f066bcd3a43088ccdb62b2da8c305ec0912bb8aaf373fdc6d07f3f18293c8ad8

  • SSDEEP

    6144:lIfYOMlH5bmfynhMTMYX5evvwo86JQPDHDdx/Qtq8:ToWhMwYX5e3hPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

  • Pykspa family
  • UAC bypass 3 TTPs 12 IoCs
  • Detect Pykspa worm 1 IoCs
  • Adds policy Run key to start application 2 TTPs 27 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\edkts.exe
      "C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1284
    • C:\Users\Admin\AppData\Local\Temp\edkts.exe
      "C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:4988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1720

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            28ae0d37ef6f445447a2f0b593086a7b

            SHA1

            2e8e747ec765b6032e0f0c77402d898f2ebe3dc4

            SHA256

            42aedf2680a724681de7d605a8480f1e2b32f1002625ccd2f54a2efb69638249

            SHA512

            2dff23be05f6aaa8f18984ae9b47ba587f8506ef368c89802205e3c45ec2c6fd1019e86686c13d283392e7530b97c2dbb0aa3295a4b88b6cbcc8602f10fea44d

          • C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            b3a7136ba28b4549925db353b2dc875f

            SHA1

            961ce8cc0adfdfc93125383b90f026d9a3c2fee0

            SHA256

            97a338dedc4f622a5f0cb3733320cc8f478a805a5964448727864678b9543ec7

            SHA512

            2ee8b37b4b51d71154c55102c2daedd87253cc62e5bc1cbd89b741b140cbc0bf8003d8ab6057ee58d6fef3750ecb6b93a565297e61051d4fd87988dbde6f9e62

          • C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            9cbab60847526b36b3a5434056207392

            SHA1

            7ed9cc5e65e867f317369817887377a0f183dd25

            SHA256

            06343f6e79c92fa841387c172b5857e596476d302ac2bed7556a2fa3bd02552b

            SHA512

            0e8814a2ef435bb5700d3132eccf837843fba25a11bab6366c0930857dce4f937656c580b56e774f125c5113fcddcd2cd966b182f2c27a3c1b1e62d00fe27546

          • C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            417b61f8ec53265751c09f28d4831da6

            SHA1

            710d83c09b490eb54d4a8af8521d0feb898f13ea

            SHA256

            fb562cad74df0b40fd96eb7a574b98f70e7f8bb826e1200c86dd406d63ffa084

            SHA512

            2c655b8c69bdfac1681e8d44c51cfb7739a242be6c0d4a9b1484202f9df3cafedcbb70cc3b649c62ea8b9eb511cdf2528125e1ac3f31972d655ff1abfb355c07

          • C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            ede15df8e32ac3d9d648c215c0551dc2

            SHA1

            82f3b51dbd202ddc515d62742ff24bd6585ad360

            SHA256

            79bff2fc93df0100c0ff8ff5ed5a17ddb72d58ecbac8d9d41b9ffd428b7c6fba

            SHA512

            fbeb60ec43bd76c374e64183cf3e050f0965d7592b85bc5697ad72abb4fa20e4c9554f94b8233479293684b3b63b849f8cba1b401c9ea1ff654e82e52248e491

          • C:\Users\Admin\AppData\Local\Temp\edkts.exe

            Filesize

            604KB

            MD5

            f196c33bc700545ced4f24c4dd321fc9

            SHA1

            c8e46a70920d93e6fd24aec624610828fd4a1ef3

            SHA256

            c095994da53e13dcffb50fd33a6a6de4a6dc7c3b5c5213c77344da8446c69f01

            SHA512

            2952019338d8ba004101e3822bba235835cdab1d3d5db78c5c47d86087a500a21178a22d488042e463dd4fd0201f238c3db545268bdfa1daa107d9b77c83d274

          • C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            b926bbc95b52747d2768e466b8eaa9f2

            SHA1

            2e10a49dd17ff285a6d88eb29671535449ac2826

            SHA256

            38eeeb834fe4d4470440d7c4871c5af91d68a9f6c391f83a3d90119d0821c48e

            SHA512

            24484ed7c60cf80f57c0a1ebb01702210ac2262e0466d01e178070df7c6cb6928f5299f2608f333ecd594e1bdfdec6cba8de340699bf1ece79a26745da089998

          • C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            79cfa24a7b1f0b182deed9c7ade2fb76

            SHA1

            5cc271e703d245116b6814db44244e6730dd98ab

            SHA256

            e4f999a8fe21085ec68762812cbbb94107adbd84d887ad1f2e9ca32b69b2bf86

            SHA512

            8bf63a9b84016acaea800ffa789bc23624eb9a2332a71b67b08f204c81693a11a6c0e4cde27b59ced03ade19aa6e2d0f5ae770c0e75319fb96a353934cdb7dc6

          • C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda

            Filesize

            272B

            MD5

            6f3f2406a2f139059ea9e840f0348804

            SHA1

            a5eba04f60365f00c1e21585c80900f5dbc567ca

            SHA256

            260e320b38132150343efb19b6c93a910190b4bdaeaeec4129857b840f44f5f4

            SHA512

            4ac5826d45bd403c71a45032f8de19351e1a3af4fe34e1c8fb6fef32dbe464c75219919194d2712ab11118ebf8eabb9a07a635087f2770bb1f53fff482eb82c7

          • C:\Users\Admin\AppData\Local\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs

            Filesize

            3KB

            MD5

            9f289e2923206c04b8cfe855492c5986

            SHA1

            75d22b34af6a17983563291514565aa8f4068359

            SHA256

            1b8a16abf586d253f66d51e65c891859fe8d6ae796df7f1b5658d5b330d31a98

            SHA512

            dc6cefb509eab43f5bcffddb45991692db3f99acd96aedc99bb772b9a4d012d0a9b8b0f77e5d78ac82c67f01f81a7bdcf3168a074c4804b2d558f4af0079ac45