Overview

overview

10

Static

static

3

JaffaCakes...7d.exe

windows7-x64

10

JaffaCakes...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe

  • Size

    644KB

  • MD5

    94de1d6ae38c18d132f69a221ea2407d

  • SHA1

    a048b4b46308cbf27d3f412e2139bb290f284b43

  • SHA256

    2ba78cfc0247a07c1fb24e7ffebe1814bd0fe2e486785e978e229e4dd731432b

  • SHA512

    f87690592313d7b18eca8be7ab19a8f0572764e5f118f095aa40c7dec4e9baf68121bb48beb4bac33086e2e494381c6a9ae5aff1334ef748e3b5b4d301c41056

  • SSDEEP

    12288:t6onxOp8FySpE5zvIdtU+YmefT9/mqOplf2AQNWxgqFjj:Twp8DozAdO98fplf2MJ

Score
10/10
pykspadefense_evasiondiscoverypersistenceprivilege_escalationtrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    wormpykspa
  • Pykspa family
    pykspa
  • UAC bypass 3 TTPs 4 IoCs
    defense_evasiontrojan
  • Detect Pykspa worm 2 IoCs
    worm
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 2 IoCs
    defense_evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
      "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_94de1d6ae38c18d132f69a221ea2407d.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2104
      • C:\Users\Admin\AppData\Local\Temp\adisu.exe
        "C:\Users\Admin\AppData\Local\Temp\adisu.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_94de1d6ae38c18d132f69a221ea2407d.exe"
        3⤵
        • Executes dropped EXE
        PID:1992
      • C:\Users\Admin\AppData\Local\Temp\adisu.exe
        "C:\Users\Admin\AppData\Local\Temp\adisu.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_94de1d6ae38c18d132f69a221ea2407d.exe"
        3⤵
        • Executes dropped EXE
        PID:2368
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\ndvshwnibqbzmiigdu.exe
      "C:\Windows\ndvshwnibqbzmiigdu.exe" .
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1172
      • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
        "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\windows\ndvshwnibqbzmiigdu.exe*."
        3⤵
          PID:1388
      • C:\Users\Admin\AppData\Local\Temp\xlbwjwlevirnysqm.exe
        "C:\Users\Admin\AppData\Local\Temp\xlbwjwlevirnysqm.exe" .
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2620
        • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
          "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\xlbwjwlevirnysqm.exe*."
          3⤵
            PID:1640
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:1524
          • C:\Windows\etkguiyskyifrmlie.exe
            "C:\Windows\etkguiyskyifrmlie.exe" .
            2⤵
              PID:2016
              • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
                "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\windows\etkguiyskyifrmlie.exe*."
                3⤵
                  PID:1376
              • C:\Users\Admin\AppData\Local\Temp\ldxwnexupgttigiihahz.exe
                "C:\Users\Admin\AppData\Local\Temp\ldxwnexupgttigiihahz.exe" .
                2⤵
                  PID:1080
                  • C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
                    "C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\ldxwnexupgttigiihahz.exe*."
                    3⤵
                      PID:2860

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Persistence

                Boot or Logon Autostart Execution

                4
                T1547

                Active Setup

                1
                T1547.014

                Registry Run Keys / Startup Folder

                2
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Hijack Execution Flow

                1
                T1574

                Executable Installer File Permissions Weakness

                1
                T1574.005

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Boot or Logon Autostart Execution

                4
                T1547

                Active Setup

                1
                T1547.014

                Registry Run Keys / Startup Folder

                2
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Hijack Execution Flow

                1
                T1574

                Executable Installer File Permissions Weakness

                1
                T1574.005

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Hijack Execution Flow

                1
                T1574

                Executable Installer File Permissions Weakness

                1
                T1574.005

                Impair Defenses

                1
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Modify Registry

                6
                T1112

                Credential Access

                Discovery

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\adisu.exe
                  Filesize

                  732KB

                  MD5

                  1970da7272c080cb2351c4c563c67b6e

                  SHA1

                  e00d78182bf28799b73b84872cb2506761f96e75

                  SHA256

                  00b73439d2aba46203083a812c84e3780da7976e0824e750da3ed46c693afd84

                  SHA512

                  4d0f0ceb1b1c4cc9f1d09645220cabf54caf5372e59272165ccc0aa8d04436e7dea39eac25f21bd460d36b805cea528df4cc7dc1c70486e956494bd22aaad369

                  Download Submit

                • C:\Users\Admin\AppData\Local\rtxghilsxyvfemyirulnrabcfm.spz
                  Filesize

                  272B

                  MD5

                  673c951a745c10193a4515671ef9a752

                  SHA1

                  13b10413420f839de3ce58fd9cc0b01f7159b471

                  SHA256

                  b1ade34f9d78da213d344278e1b735a2b7272cb3f0b4a7cb11ff1b1793a7f65f

                  SHA512

                  8047d1651b2499b2a21f3c77a05ae4523241cb0ba271a5d49227dbb292c742c9e1f54a88ed0907a5d56c1d37ddd44f51a708ab33d3494de3631b993463da6724

                  Download Submit

                • C:\Users\Admin\AppData\Local\sfuoamasiucxhaxsmacpeykwkcsemhrkhcwkm.oiu
                  Filesize

                  3KB

                  MD5

                  83c3737964510e4175555b41c66ff299

                  SHA1

                  8185587ea79ca2dfcc1f19a03e166613cda9ed0b

                  SHA256

                  a6d179010f704cd41fbbdfa2936c3a447a6fd6dfda044a36c7d1a99d2a05ed20

                  SHA512

                  422abf4657a2225f6382d472a6828129bfd93aa615eb96506a05871da2cc4ea3a32801d7c28c7305d3d989141070788176aed9d2ab233d9a298e1be1f1ab0084

                  Download Submit

                • C:\Windows\SysWOW64\ndvshwnibqbzmiigdu.exe
                  Filesize

                  644KB

                  MD5

                  94de1d6ae38c18d132f69a221ea2407d

                  SHA1

                  a048b4b46308cbf27d3f412e2139bb290f284b43

                  SHA256

                  2ba78cfc0247a07c1fb24e7ffebe1814bd0fe2e486785e978e229e4dd731432b

                  SHA512

                  f87690592313d7b18eca8be7ab19a8f0572764e5f118f095aa40c7dec4e9baf68121bb48beb4bac33086e2e494381c6a9ae5aff1334ef748e3b5b4d301c41056

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\izfuneuesjp.exe
                  Filesize

                  320KB

                  MD5

                  5203b6ea0901877fbf2d8d6f6d8d338e

                  SHA1

                  c803e92561921b38abe13239c1fd85605b570936

                  SHA256

                  0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

                  SHA512

                  d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

                  Download Submit

                • memory/2472-193-0x0000000004560000-0x0000000004561000-memory.dmp

                  Filesize

                  4KB

                  Download