Overview

overview

10

Static

static

3

JaffaCakes...37.exe

windows7-x64

10

JaffaCakes...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe

  • Size

    1004KB

  • MD5

    90de3ac81eff9a54a44eb7aca77d1737

  • SHA1

    ac1c543397b0f5f542302adb4103781bd174df21

  • SHA256

    886a6b6fdd213f3b992336fccc96d5afdf409a859575e1a689c4cf506bbe074a

  • SHA512

    a557c9a5e5844223a45eb2bbfe27a189b7dfb44371fd82103f6c311ca312c2ddba84744e1fcfcac7ed0fed5e65e27088999134ae5cebac21645781a764f40eaa

  • SSDEEP

    6144:/8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU:knRy+ZyYpaCDJFuPyAHcqrU

Score
10/10
pykspadefense_evasiondiscoverypersistencetrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    wormpykspa
  • Pykspa family
    pykspa
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Detect Pykspa worm 2 IoCs
    worm
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\cxtzfhhamhd.exe
      "C:\Users\Admin\AppData\Local\Temp\cxtzfhhamhd.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_90de3ac81eff9a54a44eb7aca77d1737.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\joudhm.exe
        "C:\Users\Admin\AppData\Local\Temp\joudhm.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_90de3ac81eff9a54a44eb7aca77d1737.exe"
        3⤵
          PID:2664
        • C:\Users\Admin\AppData\Local\Temp\joudhm.exe
          "C:\Users\Admin\AppData\Local\Temp\joudhm.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_90de3ac81eff9a54a44eb7aca77d1737.exe"
          3⤵
            PID:2660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\lcupfwskeqvxanajqq.exe
        Filesize

        1004KB

        MD5

        90de3ac81eff9a54a44eb7aca77d1737

        SHA1

        ac1c543397b0f5f542302adb4103781bd174df21

        SHA256

        886a6b6fdd213f3b992336fccc96d5afdf409a859575e1a689c4cf506bbe074a

        SHA512

        a557c9a5e5844223a45eb2bbfe27a189b7dfb44371fd82103f6c311ca312c2ddba84744e1fcfcac7ed0fed5e65e27088999134ae5cebac21645781a764f40eaa

        Download Submit

      • C:\Windows\csjdsidunycdfrdlr.exe
        Filesize

        505KB

        MD5

        ab3ff6e132618dab7fde1198f8aeb4db

        SHA1

        11ea1c10c020de6b22d73336bf4855cf6ce96301

        SHA256

        ab944a810b0456c5cfb3e7de65f3b8a096a7594b1d37f4050a3e8e2deb71935e

        SHA512

        cf2e63582eacb58b151cddf2a68d2ecc340f6fff318951d42ecc81f53b3ff1caf45e64d5e193943882588d448e93fda390ecf9ada433e67c4f27b2ec1305345c

        Download Submit

      • C:\Windows\pkgfzuuqoentarivgkvqml.exe
        Filesize

        960KB

        MD5

        18983cd4e15c7d2dbae1a17cb580c366

        SHA1

        a740a1e005b03ee8bab02d67bc5833d67bfc6376

        SHA256

        040a8c3747a2e506394e22c479185644d45eae5844843e7ea05a77e24108b6f0

        SHA512

        54046ba52560eeef6305025bf2c73ef659a1ff1bbcb0d560168c2fabc6239b4897c280da2fc19fe08021193984b53f22f578fd6a5d8ae9c032285a3089525c40

        Download Submit

      • \Users\Admin\AppData\Local\Temp\cxtzfhhamhd.exe
        Filesize

        308KB

        MD5

        85cb856b920e7b0b7b75115336fc2af2

        SHA1

        1d1a207efec2f5187583b652c35aef74ee4c473f

        SHA256

        6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

        SHA512

        120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

        Download Submit

      • \Users\Admin\AppData\Local\Temp\joudhm.exe
        Filesize

        680KB

        MD5

        e3aec1e0637478b10408791393dba6cc

        SHA1

        ac361de3c5b2af3b76572a8eba79394933104bd4

        SHA256

        b1ff3d025e73b01920ddadafcd5859404a418b2e13acaf0fa589d1dd0285ee09

        SHA512

        89085401f5a9a1141047bc810c872c665fd038906e2b35890bf65be603c72ded4ec44121e735d536931c6013170648b4a19cd35ba3edc1592ec541ba92d7058f

        Download Submit