Analysis

  • max time kernel
    49s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 01:26

General

  • Target

    JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe

  • Size

    512KB

  • MD5

    8a37689689c2c8072ce71dc9eaee9278

  • SHA1

    9f4b5397777e2740b9c42f5df71eeb143854dd0a

  • SHA256

    a8b7dd0803b23353719c57aa2a57b6124e5aceb16da43b803b146f4e28a1f921

  • SHA512

    d30f59e78c4134770d16ebb8e56d280e21dd221fa43b4a9b604e438b0f3a67d2ec86dae029509b94e5e5b64d92c64f71df6b66643e034384df5b5f8158930191

  • SSDEEP

    12288:gQMiG+2gef5x/xQTB2OfDKC7WgcURfMMMMM2MMMMM:gQ0+29VgfDnKwRfMMMMM2MMMMM

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

  • Pykspa family
  • UAC bypass 3 TTPs 15 IoCs
  • Detect Pykspa worm 2 IoCs
  • Adds policy Run key to start application 2 TTPs 25 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 15 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
      "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8a37689689c2c8072ce71dc9eaee9278.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2832
      • C:\Users\Admin\AppData\Local\Temp\cfglr.exe
        "C:\Users\Admin\AppData\Local\Temp\cfglr.exe" "-C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2436
      • C:\Users\Admin\AppData\Local\Temp\cfglr.exe
        "C:\Users\Admin\AppData\Local\Temp\cfglr.exe" "-C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2524
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\argztnlwrklwbkvzzhe.exe
      "C:\Windows\argztnlwrklwbkvzzhe.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\argztnlwrklwbkvzzhe.exe*."
        3⤵
        • Executes dropped EXE
        PID:1044
    • C:\Users\Admin\AppData\Local\Temp\cvmhdzzmjehubmzfhrqja.exe
      "C:\Users\Admin\AppData\Local\Temp\cvmhdzzmjehubmzfhrqja.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\cvmhdzzmjehubmzfhrqja.exe*."
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2020
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\argztnlwrklwbkvzzhe.exe
      "C:\Windows\argztnlwrklwbkvzzhe.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\argztnlwrklwbkvzzhe.exe*."
        3⤵
        • Executes dropped EXE
        PID:2812
    • C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe
      "C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\znzpgxsasigoqwef.exe*."
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2892
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\znzpgxsasigoqwef.exe
      "C:\Windows\znzpgxsasigoqwef.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\znzpgxsasigoqwef.exe*."
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2740
    • C:\Users\Admin\AppData\Local\Temp\gvizrjfohyxgjqzbz.exe
      "C:\Users\Admin\AppData\Local\Temp\gvizrjfohyxgjqzbz.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\gvizrjfohyxgjqzbz.exe*."
        3⤵
        • Executes dropped EXE
        PID:380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\ebwvvvzqrqxozofpvjmje.ddh

    Filesize

    260B

    MD5

    5c9a569a7acea7d9181f8f06246fcaac

    SHA1

    05a93ec6a16cad87e1d71dd4363adb0a8a5d9f10

    SHA256

    2263dc35691e1ce62a3491b403c78da4e89d1e8d4a74669464acb8c8d43918b3

    SHA512

    35d19d00da6b6cc883ef0152307db1f6cfe6a2ec1c5d21df6d9c3a4dd763866b853aa40267c1100f53dde296c3968b313a6bb5aa0435f9b97a05b4fcb9528be4

  • C:\Users\Admin\AppData\Local\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih

    Filesize

    3KB

    MD5

    61c6d95154edff60e7f1d4761b20ccc2

    SHA1

    25bbdce1332500d4f5adf2dd648b458936f0d017

    SHA256

    72dc35bdd6bb33014874bf29b62be78f9af46d32f8c6d0ea2688e8b32c236a0c

    SHA512

    3cac63b8f79a0b5daa8b5aa93b3258350d119a36b1c78ebbb4db6ef1afa173ea7e99d9cf0dc717f945c50cc3b98981b5cf10f910b67ca662c56e53d2a38d427a

  • C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe

    Filesize

    512KB

    MD5

    8a37689689c2c8072ce71dc9eaee9278

    SHA1

    9f4b5397777e2740b9c42f5df71eeb143854dd0a

    SHA256

    a8b7dd0803b23353719c57aa2a57b6124e5aceb16da43b803b146f4e28a1f921

    SHA512

    d30f59e78c4134770d16ebb8e56d280e21dd221fa43b4a9b604e438b0f3a67d2ec86dae029509b94e5e5b64d92c64f71df6b66643e034384df5b5f8158930191

  • \Users\Admin\AppData\Local\Temp\cfglr.exe

    Filesize

    700KB

    MD5

    a240c9f0bf01eb4603b0893687f49a4a

    SHA1

    bebea068de0baf9a422a47544d564f2ee75e95ba

    SHA256

    f457bdbdec587cbc91af9138adf8c0ce67eabb9f8bad7861c500ae63a8a8d1ed

    SHA512

    79934fbbdca9d7da013d340c8d1bf8ec9c04671d3d109c3ed56ccae7e29eb14349a2084e9436a30f6209baa61a78697f0e2febff0f13ac58d886fe86d1faf6f8

  • \Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe

    Filesize

    320KB

    MD5

    304415df6ad55a90301aa8158e5e3582

    SHA1

    cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

    SHA256

    34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

    SHA512

    4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

  • memory/2264-188-0x0000000004490000-0x0000000004491000-memory.dmp

    Filesize

    4KB