Overview

overview

10

Static

static

3

JaffaCakes...9b.exe

windows7-x64

10

JaffaCakes...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe

  • Size

    564KB

  • MD5

    8ef2d07270653f6f7e52dd62aaed819b

  • SHA1

    fd629389614f86b65d384255c03591171226a622

  • SHA256

    8c97f3444942fcd1aa8d2e9b343b6168d3743302b1c8625d22679fc18490fecc

  • SHA512

    b341b943f5727d244ec161f26dfa1d3899eb67a6c42148f1cbaeeb35f1720d72d721200a6aab7279192e5f0fa0ecd56cf089bba0f0a8a847b088cfdde28afa71

  • SSDEEP

    12288:cpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0u:cpUNr6YkVRFkgbeqeo68FhqN

Score
10/10
pykspadefense_evasiondiscoverypersistenceprivilege_escalationtrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    wormpykspa
  • Pykspa family
    pykspa
  • UAC bypass 3 TTPs 14 IoCs
    defense_evasiontrojan
  • Detect Pykspa worm 2 IoCs
    worm
  • Adds policy Run key to start application 2 TTPs 21 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 6 IoCs
    defense_evasion
  • Executes dropped EXE 11 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    defense_evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 39 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 41 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 40 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
      "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8ef2d07270653f6f7e52dd62aaed819b.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2844
      • C:\Users\Admin\AppData\Local\Temp\zjnsdgr.exe
        "C:\Users\Admin\AppData\Local\Temp\zjnsdgr.exe" "-C:\Users\Admin\AppData\Local\Temp\yresmyshsjrnysqm.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2820
      • C:\Users\Admin\AppData\Local\Temp\zjnsdgr.exe
        "C:\Users\Admin\AppData\Local\Temp\zjnsdgr.exe" "-C:\Users\Admin\AppData\Local\Temp\yresmyshsjrnysqm.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2364
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\bzrkjaztjfstjilmmgpnf.exe
      "C:\Windows\bzrkjaztjfstjilmmgpnf.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
        "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\windows\bzrkjaztjfstjilmmgpnf.exe*."
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2472
    • C:\Users\Admin\AppData\Local\Temp\bzrkjaztjfstjilmmgpnf.exe
      "C:\Users\Admin\AppData\Local\Temp\bzrkjaztjfstjilmmgpnf.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
        "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\bzrkjaztjfstjilmmgpnf.exe*."
        3⤵
        • Executes dropped EXE
        PID:1688
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\fzncxkfvhzifrmlie.exe
      "C:\Users\Admin\AppData\Local\Temp\fzncxkfvhzifrmlie.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
        "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\fzncxkfvhzifrmlie.exe*."
        3⤵
        • Executes dropped EXE
        PID:1588
    • C:\Windows\zvlczoldrlwvjghgewd.exe
      "C:\Windows\zvlczoldrlwvjghgewd.exe" .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
        "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\windows\zvlczoldrlwvjghgewd.exe*."
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\zjnsdgr.exe
    Filesize

    724KB

    MD5

    c935d943e0346657455efbd32e80d0c1

    SHA1

    910cb609a53d09fe929b93d639ad081efd55901a

    SHA256

    0ce16dc91295ce8bb14a70f1c88d098ac6781ff3788e7c9b2aedaeebac5d27d1

    SHA512

    50d9c2352b81f24510f03daa6ff46262684a2099c3dca07b16f9fa4d880150ffbf6d7f44ece86f08ad60127dfecb21cedd933ba36e3de2ca1ad5c81fe7029d3d

    Download Submit

  • C:\Users\Admin\AppData\Local\dfbybwzxrrinhkrwaylnj.jeh
    Filesize

    280B

    MD5

    39cb287f5ad16bcaf1a6b6084d3ea0c0

    SHA1

    61e44f7164b35785323757e3e57544f5576444e2

    SHA256

    b5cc07cd8b03f4fdd2398c1431a41e226424b586c725e1fa898a6feb7c4cc8be

    SHA512

    ee2f1acb82862a5f79e4c17d5a9574ebc0d6d47ba1e24039fef5cb270653e0cd6c0fc6b49a70d757351d9e0294660b058b5301eb0fb77dd58c397c0ab100520d

    Download Submit

  • C:\Users\Admin\AppData\Local\ylsaouirwhjzeskapywjqymsgpufhxcq.ynw
    Filesize

    4KB

    MD5

    f822f3e06c6aaf32c27cde2d41365dfc

    SHA1

    4f89335830c750356d265c627a26b6661beafc17

    SHA256

    c50551ef92d06a99d4ebf69d1c686617805bc6098cb83d102da62355faede881

    SHA512

    c6b0f13c8a03da3c6233a280fd217434c90ba11cacc8d2a0bd029717f8cf17b7cb0fa7362715844ff2456cd2675bf263d24c49bc3b6c4846d8cb7a68f8e82f07

    Download Submit

  • C:\Windows\SysWOW64\ojyokyulyrbzmiigdu.exe
    Filesize

    564KB

    MD5

    8ef2d07270653f6f7e52dd62aaed819b

    SHA1

    fd629389614f86b65d384255c03591171226a622

    SHA256

    8c97f3444942fcd1aa8d2e9b343b6168d3743302b1c8625d22679fc18490fecc

    SHA512

    b341b943f5727d244ec161f26dfa1d3899eb67a6c42148f1cbaeeb35f1720d72d721200a6aab7279192e5f0fa0ecd56cf089bba0f0a8a847b088cfdde28afa71

    Download Submit

  • \Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
    Filesize

    320KB

    MD5

    dd09ce61c242ffa3c532e8fba0bb3316

    SHA1

    f79a5af6e635ebad9ca215b0f55c141e68fd7b3e

    SHA256

    7d05a7241f6897efc9efb0fcd943373ad0aad465db1c7731991b35546edf9def

    SHA512

    a7c17a855a1720bce9da5b0561676525b921c7eef8c2ec0b84cc8b1cc96f50f77fb086f3fc8c3b519a399dde0b9808146a4754cbe6065c2213dc2123df4f6a23

    Download Submit

  • memory/2212-186-0x0000000004450000-0x0000000004451000-memory.dmp

    Filesize

    4KB

    Download