pykspa | 36a3322c178aa5eec197d1df430d3dd30bab93c2609409367ca3fb2a25c89a7c

Analysis

max time kernel
4s
max time network
11s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
Size

548KB
MD5

930832249e4efce3d5bfeb3ac4109872
SHA1

efe733a9265e2678a8ad50c0422af67ee7d6fce6
SHA256

36a3322c178aa5eec197d1df430d3dd30bab93c2609409367ca3fb2a25c89a7c
SHA512

0fa14f1f8d19c798e8159cfa8e25b66ac27e1a99bf40e8cea00de44915e80ca1cd4a629aea78e09c51afe9e5965f072a723bb0b7ed7bb268a98cda3469b8c1bf
SSDEEP

6144:rmXqNhOPOUFLccF/nHkcPLRFB/fhLeiNruEnOldMrhJ11PUM1nF1WtSef:rmaNhOPnxBnHkapLjTn/rhlUy1W5f

Score

10^/10

pykspa discovery worm

Malware Config

Signatures

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

Detect Pykspa worm 1 IoCs

worm

resource	yara_rule
behavioral1/files/0x000c000000012263-2.dat	family_pykspa

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2564	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2564
- C:\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe
  "C:\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_930832249e4efce3d5bfeb3ac4109872.exe*"
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\oiwljyrgyrvnytvmji.exe

Filesize
548KB

MD5
930832249e4efce3d5bfeb3ac4109872

SHA1
efe733a9265e2678a8ad50c0422af67ee7d6fce6

SHA256
36a3322c178aa5eec197d1df430d3dd30bab93c2609409367ca3fb2a25c89a7c

SHA512
0fa14f1f8d19c798e8159cfa8e25b66ac27e1a99bf40e8cea00de44915e80ca1cd4a629aea78e09c51afe9e5965f072a723bb0b7ed7bb268a98cda3469b8c1bf

Download Submit
\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe

Filesize
320KB

MD5
3516cc2d0c3c87e912b03ab166030fa7

SHA1
7665be2792f4ef783edf13b622ee605e2cf7c88c

SHA256
b36b89b688346eb24beb66bea0aa4d89480f4b149e7001bafd5b0cb2c92bc2b4

SHA512
f982cf529360bacf2a37dfe2d290ba03bc01aadcfd37f596d5e143246978228204ccabddf57641d1e003ddd15fa599e5030da756f76fad91465685614ab162bf

Download Submit