Analysis Overview
SHA256
70880891d2897ec408e56b4eac407ba1f339015871ea24b6807b9d7abb992534
Threat Level: Known bad
The file JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b was found to be: Known bad.
Malicious Activity Summary
Pykspa
Pykspa family
Detect Pykspa worm
Checks computer location settings
Executes dropped EXE
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-11 21:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-11 21:41
Reported
2025-04-11 21:43
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Pykspa
Pykspa family
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afffaeef2329ab2660211ef1c0f1562b.exe"
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_afffaeef2329ab2660211ef1c0f1562b.exe*"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1880 -ip 1880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 348
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_afffaeef2329ab2660211ef1c0f1562b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 312
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
| MD5 | 0a9c62dc48670cd0a88a7ff334e67799 |
| SHA1 | 89ab1d31ffa5ab73361e8448ac9393f40bef08a8 |
| SHA256 | 5701be62296551688c2da1a97f2fc92d43289cb0aa1280dd5f41c968f88d5654 |
| SHA512 | 7ff0c62e7b1bfb516476a570e015bff6e573b7a272b1cd25f32cc01d109ae58014c03a6f9a9f9be7b09620db4132fbe19186ebdef9c451e59d6f29b848153a6b |