Overview

overview

10

Static

static

3

JaffaCakes...4e.exe

windows7-x64

10

JaffaCakes...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe

  • Size

    556KB

  • MD5

    8970327ee75efc6d291e9fa94473fa4e

  • SHA1

    dce4a0d459b277c8ecf8edd903910ea4bac15769

  • SHA256

    439ce0019a7fb62b9832175f3504fad7aaa7c9d1b3cc765da31316dbfcb45168

  • SHA512

    6d29535c57788756521fc0a65d7b354e6e18968454f7b8f7171813207b3dba743f67d53f33f98c790986951126e8e13174664ab9bd67bdcdf2104b399e25eb1f

  • SSDEEP

    6144:Sj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:A6onxOp8FySpE5zvIdtU+Ymef

Score
10/10
pykspadefense_evasiondiscoverypersistenceprivilege_escalationtrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    wormpykspa
  • Pykspa family
    pykspa
  • UAC bypass 3 TTPs 13 IoCs
    defense_evasiontrojan
  • Detect Pykspa worm 2 IoCs
    worm
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe
      "C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8970327ee75efc6d291e9fa94473fa4e.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2728
      • C:\Users\Admin\AppData\Local\Temp\bhloclq.exe
        "C:\Users\Admin\AppData\Local\Temp\bhloclq.exe" "-C:\Users\Admin\AppData\Local\Temp\apcoldrgyxsmacaw.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2420
      • C:\Users\Admin\AppData\Local\Temp\bhloclq.exe
        "C:\Users\Admin\AppData\Local\Temp\bhloclq.exe" "-C:\Users\Admin\AppData\Local\Temp\apcoldrgyxsmacaw.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2668
    • C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe
      "C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8970327ee75efc6d291e9fa94473fa4e.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    e0162f4e4d958a239153e19a1dc2df1a

    SHA1

    0c74dd455d094361c185d5c6dc0112bc9f787890

    SHA256

    388fb458a3793224eaa54e9a41010d541ddf023990218325aecea3564376071d

    SHA512

    302453af961b7bfc30f53e77c5d23f57f65b5a7dc985865c1d8893a5bb442696d50370387b0d2bee2e3257483ec9ef40f7d0343700f61154da3bc86882876898

    Download Submit

  • C:\Program Files (x86)\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    52c8368476e3a01ff68eb58253950302

    SHA1

    2e515078f7ff0ee81baee6faee4c07754c853939

    SHA256

    c0af774bfb5672ea1b1e8a7c247208a4475c3a9005865c14a97ec70464aca86b

    SHA512

    0a45771b3ffb8293e3124675c2a9287b61973047a2184d6fb4a83b27c373c8b2305798feafef09ee97f8f0d254a38836c689fe054f9f9d14254a0c6e3fa113a8

    Download Submit

  • C:\Users\Admin\AppData\Local\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    118cbb9571ac41b0d33531353a7021c2

    SHA1

    f44b5cff4c1b1c1b0ebce694c2beefb3c280b6f8

    SHA256

    d61471788a8dc8a8fc73b36ba8fec80b0092c0bd40b14164151c01669528b3f8

    SHA512

    fd9bec9ec9e02747f11ceede0bb8e8f263c1f199efbd07608e9bfdbeafa402d09a0363e8d64a7d169521c5c69eea15a305fa69271bb695243b5e0a505507b03d

    Download Submit

  • C:\Users\Admin\AppData\Local\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    ec307b7caff6186401d4b19be2569d3b

    SHA1

    2362fff0712df3c22ad04b1214496b2b44ce4b88

    SHA256

    5cf63fb52060e8e97a020b950ead8dfece1379a8b9a94441bbb99731074a9230

    SHA512

    5728ba19d73991e0d78d54eae61aa3fed16edd47807944ff9e2d2ab07f63bd5e6475103dda8d0951e21fc8764f53cca402b4ea0b3b55f352bf5e3dede552ab1c

    Download Submit

  • C:\Users\Admin\AppData\Local\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    1221272214d39e7630f3034580b1c47c

    SHA1

    180a8259c31f6ed0240202f64516f10a0a2dd91d

    SHA256

    d931c0485341a5d4612d7dda3228308d4597db765e2140d7cdae8b15d88f96af

    SHA512

    604a72679a159719ffa3333eac17f57d4c814da677c7dc443f828a33017bfdb8642986c3909564ca4aa5f163b0d081044b04ae4bae1b207384216d38fafef0f1

    Download Submit

  • C:\Users\Admin\AppData\Local\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    f91356cef41513515951b4996ffc0c09

    SHA1

    c6f4b9c5df6d98062b9cb5dcf2a234c7cbefd62b

    SHA256

    13d17cdf154081e340645dccffb191cecde6ef81ef0ae6703f732312a4090b37

    SHA512

    c3c79126a4d861514cdb12e3f824bb543bcaf45110ad26d6dcbce0c4c88433d05317539b9e95cf7e440ba47973f34785523eddfea2d57efc4d40fa284e3ac733

    Download Submit

  • C:\Users\Admin\AppData\Local\ijigpttuyjqwwkuchqrqoxbb.gry
    Filesize

    272B

    MD5

    9664c61e5a95f5fec48b33e543ee00c5

    SHA1

    ff1b4865324dc815be3514785af36d5921fb199e

    SHA256

    ca9bb87f0aefc6bcf3c55bab4a55ebc0052eb4cb475471bf147aa4d20c5a1ace

    SHA512

    ef77da2652806ad994cf8e511935fa1af32458699e3f3bf2f00848968dc2b4e9353a01bf620e55de3d2f528b94cbc517c2fed44d6c47bc3b44c92c903b7acdab

    Download Submit

  • C:\Users\Admin\AppData\Local\rdnwqfqcrnfwhgbukeqajdsdpeasjutohxr.nwq
    Filesize

    3KB

    MD5

    52d5976b2bc3eaa5415eb1915425fafc

    SHA1

    0e92487c9807f93111a0ea87a3915428e5a5c9a7

    SHA256

    747f8cad85a4b35891739ee3d6740a1dc9dde85b2d9646f2218d922d19691930

    SHA512

    7fd6524d739df70719ee8bd9001169465b59c9d141bf1d46c8deaed2515ccab0398bbb6647a907faf5280238abadaebdf8b8aa4b7d7d1a2583215c1662eceabc

    Download Submit

  • C:\Windows\SysWOW64\qhwkjdtkefcyossqlk.exe
    Filesize

    556KB

    MD5

    8970327ee75efc6d291e9fa94473fa4e

    SHA1

    dce4a0d459b277c8ecf8edd903910ea4bac15769

    SHA256

    439ce0019a7fb62b9832175f3504fad7aaa7c9d1b3cc765da31316dbfcb45168

    SHA512

    6d29535c57788756521fc0a65d7b354e6e18968454f7b8f7171813207b3dba743f67d53f33f98c790986951126e8e13174664ab9bd67bdcdf2104b399e25eb1f

    Download Submit

  • C:\vfnumzisfzp.bat
    Filesize

    556KB

    MD5

    a6ed097f83d63d7b5b640dc2160b2a4d

    SHA1

    38c9b406522f13d25662f4bd49169e5c53298aca

    SHA256

    d66e2a70366f869711df4dbe9f56401a90cfe6911abe14202ba5eeb821d95a31

    SHA512

    61b645b71e7b341d984aae0c3bb9347b8a7ea224bfa35af945dbb751c0939702040136300ddca8e6f6727c274df875303fa0efd446df9971ef3e7715731a4d38

    Download Submit

  • \Users\Admin\AppData\Local\Temp\bhloclq.exe
    Filesize

    708KB

    MD5

    52628c3450f8fd3ccf0d6815f476eb10

    SHA1

    c3bdfe9c6bf7de7c4ea49ad1438be365d69244cd

    SHA256

    556d7a94ef847ac8d85404630f57e99e21425c5a47a48798bf86d97e5977dc46

    SHA512

    5d607b523ad8f23d32d5b66b368324d2c86bfb8526f475c004589036835a9b1d03375e2cc0c2643ccecd7e51293a778339eef7b4b7b9842f5a665c4290324c2b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\eujspiznoet.exe
    Filesize

    320KB

    MD5

    5203b6ea0901877fbf2d8d6f6d8d338e

    SHA1

    c803e92561921b38abe13239c1fd85605b570936

    SHA256

    0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

    SHA512

    d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

    Download Submit