Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2025, 21:41

General

  • Target

    JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe

  • Size

    488KB

  • MD5

    afffaeef2329ab2660211ef1c0f1562b

  • SHA1

    3ca3a64b88fbb94f5844cc854a15379a13e50c01

  • SHA256

    70880891d2897ec408e56b4eac407ba1f339015871ea24b6807b9d7abb992534

  • SHA512

    de29636e2f9d8c661bca68f1b415e314ef14898a9f22ce29e190e1e71a4ffd01fe0c9db8c2a9aed14e63749a7be8093ae3d885c6a0c52f8cb1bd09c3cf2ef3b8

  • SSDEEP

    12288:NIXsgtvm1De5YlWx6lzBH46UmZMMMMM2MMMMM1:NU81ygBb7ZMMMMM2MMMMM1

Score
10/10

Malware Config

Signatures

  • Pykspa

    Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

  • Pykspa family
  • Detect Pykspa worm 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
      "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_afffaeef2329ab2660211ef1c0f1562b.exe*"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1880
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 348
        3⤵
        • Program crash
        PID:5620
    • C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
      "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_afffaeef2329ab2660211ef1c0f1562b.exe"
      2⤵
      • Executes dropped EXE
      PID:2532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 312
        3⤵
        • Program crash
        PID:2676
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1880 -ip 1880
    1⤵
      PID:4780
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532
      1⤵
        PID:5700

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe

              Filesize

              320KB

              MD5

              0a9c62dc48670cd0a88a7ff334e67799

              SHA1

              89ab1d31ffa5ab73361e8448ac9393f40bef08a8

              SHA256

              5701be62296551688c2da1a97f2fc92d43289cb0aa1280dd5f41c968f88d5654

              SHA512

              7ff0c62e7b1bfb516476a570e015bff6e573b7a272b1cd25f32cc01d109ae58014c03a6f9a9f9be7b09620db4132fbe19186ebdef9c451e59d6f29b848153a6b