Overview

overview

10

Static

static

3

JaffaCakes...5c.exe

windows7-x64

10

JaffaCakes...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_90c1d920f8f1539dd7b4c70bd3a8cc5c.exe

  • Size

    560KB

  • MD5

    90c1d920f8f1539dd7b4c70bd3a8cc5c

  • SHA1

    a978fc09bab91af1cafa95e6471e657074d25923

  • SHA256

    717c2978702de3a7f235ab5c1de7bcb7a2519ec1bdf366a9e13c46f12485fd5d

  • SHA512

    f60acf5520ac1212404b24d7c959e71b655d73b885769d0634181340ce536b948669768558acc683843e494d05c1a0deead356816d3c50cb3ab17942d4c527f2

  • SSDEEP

    12288:IpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsYn0uPTF:IpUNr6YkVRFkgbeqeo68Fhqd1bF

Score
10/10
pykspadefense_evasiondiscoverypersistencetrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    wormpykspa
  • Pykspa family
    pykspa
  • UAC bypass 3 TTPs 3 IoCs
    defense_evasiontrojan
  • Detect Pykspa worm 2 IoCs
    worm
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 5 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90c1d920f8f1539dd7b4c70bd3a8cc5c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90c1d920f8f1539dd7b4c70bd3a8cc5c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\xencqtkmhox.exe
      "C:\Users\Admin\AppData\Local\Temp\xencqtkmhox.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_90c1d920f8f1539dd7b4c70bd3a8cc5c.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:2892
      • C:\Users\Admin\AppData\Local\Temp\yhqpahm.exe
        "C:\Users\Admin\AppData\Local\Temp\yhqpahm.exe" "-C:\Users\Admin\AppData\Local\Temp\xphpjzngyqcqkdlh.exe"
        3⤵
          PID:2596
        • C:\Users\Admin\AppData\Local\Temp\yhqpahm.exe
          "C:\Users\Admin\AppData\Local\Temp\yhqpahm.exe" "-C:\Users\Admin\AppData\Local\Temp\xphpjzngyqcqkdlh.exe"
          3⤵
            PID:2608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\lhdpnhzwsoewurddonjf.exe
        Filesize

        192KB

        MD5

        3cbcc6f62add47a0138d2b7916640b3e

        SHA1

        da6a0f9cabd7faad83c3591e6d3075b334ae67cf

        SHA256

        48293d1d93e1d7b59478ef16f91c3d9f2f1d5b3a14341e9e12a1368a99f6db9d

        SHA512

        853783c6e34e4156e21ee2b142d542172904497fc67b553b0c016eaef37819d55208eeaea053944001e8dd29f6a410f0f07b0ffb6d0554853e90858c9f1bc8ab

        Download Submit

      • C:\Windows\SysWOW64\nhblhzpkeymcytdbkh.exe
        Filesize

        560KB

        MD5

        90c1d920f8f1539dd7b4c70bd3a8cc5c

        SHA1

        a978fc09bab91af1cafa95e6471e657074d25923

        SHA256

        717c2978702de3a7f235ab5c1de7bcb7a2519ec1bdf366a9e13c46f12485fd5d

        SHA512

        f60acf5520ac1212404b24d7c959e71b655d73b885769d0634181340ce536b948669768558acc683843e494d05c1a0deead356816d3c50cb3ab17942d4c527f2

        Download Submit

      • C:\Windows\SysWOW64\xphpjzngyqcqkdlh.exe
        Filesize

        320KB

        MD5

        508ffb2a65a1387b544e792ffd0fc634

        SHA1

        1f555a2cba0db9fb07388379d823f724c2e61f51

        SHA256

        ccf17fd8da207b8c4a325af75a0a50498dcf46a7091ea2b6535485c63aeee750

        SHA512

        6f85e3c042d3b0052da54d70a78c721e3b4916cc5ec16ea5b4f1c992fa6b659c68f8ee06b52ba0a1fba5c26ce69c06139e512c8b779a0b33b3d3176feb056136

        Download Submit

      • C:\Windows\rpnbbxrqomeyyxlnabzxll.exe
        Filesize

        2KB

        MD5

        e9a22c337aabf0ef498426184dab5cd5

        SHA1

        6f81f3fe8d17b08edc644c73483fa7b7409475c7

        SHA256

        03b7f151ec9da2f0ac97b4b6b899e3e254632636963602477b07e3606349b55b

        SHA512

        947b88bb79e94e2c9410d2ea95bc67b23ff4533e8e06f80f578de7987988d64b904fcc28d45c1d8a723e07289d2e185b48868f3b13779785e6fe816c475ae2d5

        Download Submit

      • \Users\Admin\AppData\Local\Temp\xencqtkmhox.exe
        Filesize

        320KB

        MD5

        bee6f96c2a3f6641cc8add78c75135c4

        SHA1

        8f1dd1acb6ded2f18a481bd5846316cb4ff7b053

        SHA256

        4b427fa62db59e5b63cbbba5636a9f36506288c64794913e08d6b577485e1f6c

        SHA512

        ea4f7bb3df6becd70c6b8d7a074e8c55ef28a1f6b769b326f42a0e2d4a6c4a47f0ed8e4977af7fe6170e8b5ddf5083889b2f069210c2f4d4d9362791cde0d1e9

        Download Submit

      • \Users\Admin\AppData\Local\Temp\yhqpahm.exe
        Filesize

        724KB

        MD5

        46605429f0df74779a008f44c5ea50b3

        SHA1

        65177624bb80c106064fb65791f23e1156f708f2

        SHA256

        20b014d68cced52177f9c9b66faaa59c6e7e56ddf55a1e0e9c41f8990a58510e

        SHA512

        a6f518998fa9e265f4057e6690488c435ea5e5656f0b9fbded5b0c16a106d11ee7ea3b665b0fcf3ae17cd3e45fbe47aad2b82bddfa8f5cda919471c37ee8dcde

        Download Submit