Overview

overview

10

Static

static

3

JaffaCakes...eb.exe

windows7-x64

10

JaffaCakes...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe

  • Size

    636KB

  • MD5

    93a2d78d1b178d991888ab31fafd86eb

  • SHA1

    695da3ddc0c594b266fa77f49e15faee52550085

  • SHA256

    57c1e030441de1e230a0b4eccf9283b469684ebfa6835230435abfb26c94de74

  • SHA512

    0a029806e648024547b804e1713819ede5635315870f0a93e9ca094ef805772a88803952d3b376c19d5ba1f2fce83bf03748e6ea73a71f14b5e3a5ce9222a49d

  • SSDEEP

    6144:Fj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionf/0Z:N6onxOp8FySpE5zvIdtU+YmefLs9v

Score
10/10
pykspadefense_evasiondiscoverypersistencetrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    wormpykspa
  • Pykspa family
    pykspa
  • UAC bypass 3 TTPs 3 IoCs
    defense_evasiontrojan
  • Detect Pykspa worm 2 IoCs
    worm
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 5 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe
      "C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_93a2d78d1b178d991888ab31fafd86eb.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\ahmoy.exe
        "C:\Users\Admin\AppData\Local\Temp\ahmoy.exe" "-C:\Users\Admin\AppData\Local\Temp\xpfsnaqdzhqfgmtr.exe"
        3⤵
          PID:2836
        • C:\Users\Admin\AppData\Local\Temp\ahmoy.exe
          "C:\Users\Admin\AppData\Local\Temp\ahmoy.exe" "-C:\Users\Admin\AppData\Local\Temp\xpfsnaqdzhqfgmtr.exe"
          3⤵
            PID:2688

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\nhzolashfparucllfq.exe
        Filesize

        636KB

        MD5

        93a2d78d1b178d991888ab31fafd86eb

        SHA1

        695da3ddc0c594b266fa77f49e15faee52550085

        SHA256

        57c1e030441de1e230a0b4eccf9283b469684ebfa6835230435abfb26c94de74

        SHA512

        0a029806e648024547b804e1713819ede5635315870f0a93e9ca094ef805772a88803952d3b376c19d5ba1f2fce83bf03748e6ea73a71f14b5e3a5ce9222a49d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\ahmoy.exe
        Filesize

        720KB

        MD5

        1ec6e888b789d4d9f0c2c9892342ff94

        SHA1

        4fd52db741692df52b66c00d5adce7e470c7e49d

        SHA256

        2b584721577565c6272b032e49ecf9dd7609a8c34e7b7e01bdc39eeabc2d21ad

        SHA512

        dec7bfb2a2b50bc358a7c568546b48e9efa48337ece414cf328904ca26cd7c21a3f80e343e16a4e8126a0e4631fe589d7b9df56f199a4ab2211d0ac641a4a05d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe
        Filesize

        320KB

        MD5

        5203b6ea0901877fbf2d8d6f6d8d338e

        SHA1

        c803e92561921b38abe13239c1fd85605b570936

        SHA256

        0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

        SHA512

        d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

        Download Submit