General
-
Target
JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5
-
Size
640KB
-
Sample
250329-vxmjcat1b1
-
MD5
8cf88a6db7a1d9f426aac73a35f11ce5
-
SHA1
bb6af4301e7fdf0f8bfa9bcd1582d7162d24053a
-
SHA256
08565ab76bff7b276fa60584ca2adc3afafbce2ac1a47bd5cb014f744370e598
-
SHA512
95f5f9c9ce7d84374fa5472647abf2a50c8fb928e8e10912d458fa7452f031c2c4f1cb53cb2dc3f2c6dac72a2eda90d0b1001603384f49d897012bc317f46690
-
SSDEEP
12288:DIXlgtvm1De5YlOx6lzBH46UTyxeco7pQS/L7no2aT:Dd81yMBbwyno7pQS/LBaT
Malware Config
Targets
-
-
Target
JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5
-
Size
640KB
-
MD5
8cf88a6db7a1d9f426aac73a35f11ce5
-
SHA1
bb6af4301e7fdf0f8bfa9bcd1582d7162d24053a
-
SHA256
08565ab76bff7b276fa60584ca2adc3afafbce2ac1a47bd5cb014f744370e598
-
SHA512
95f5f9c9ce7d84374fa5472647abf2a50c8fb928e8e10912d458fa7452f031c2c4f1cb53cb2dc3f2c6dac72a2eda90d0b1001603384f49d897012bc317f46690
-
SSDEEP
12288:DIXlgtvm1De5YlOx6lzBH46UTyxeco7pQS/L7no2aT:Dd81yMBbwyno7pQS/LBaT
Score10/10-
Modifies WinLogon for persistence
-
Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
-
Pykspa family
-
UAC bypass
-
Detect Pykspa worm
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5