General

  • Target

    JaffaCakes118_9d92b7212b750f84f33754676889ff18

  • Size

    988KB

  • Sample

    250407-ddjjxawvgt

  • MD5

    9d92b7212b750f84f33754676889ff18

  • SHA1

    04fbd824027e2c04d7de9f522d8d590106d234de

  • SHA256

    0f780901563b453854e1595f8cb3414ce162e9398b766d6066a0356037b04abc

  • SHA512

    6d1233577456b86f2d1a79e1e076e0d705bf7f00b0e97975247708b4cef31af35b77ab9bd1a5fa9c12d65129efa67d3371aebb36cbb8fa8fffb26627210e63dc

  • SSDEEP

    6144:n1QMivgpQ25+yApTCg3cz6ufWeLuIrybTQg9o214QTB2I/51pftDKHpDbU69SWvX:1QMiG+2gef5x/xQTB2OfDKC7Wgcs

Malware Config

Targets

    • Target

      JaffaCakes118_9d92b7212b750f84f33754676889ff18

    • Size

      988KB

    • MD5

      9d92b7212b750f84f33754676889ff18

    • SHA1

      04fbd824027e2c04d7de9f522d8d590106d234de

    • SHA256

      0f780901563b453854e1595f8cb3414ce162e9398b766d6066a0356037b04abc

    • SHA512

      6d1233577456b86f2d1a79e1e076e0d705bf7f00b0e97975247708b4cef31af35b77ab9bd1a5fa9c12d65129efa67d3371aebb36cbb8fa8fffb26627210e63dc

    • SSDEEP

      6144:n1QMivgpQ25+yApTCg3cz6ufWeLuIrybTQg9o214QTB2I/51pftDKHpDbU69SWvX:1QMiG+2gef5x/xQTB2OfDKC7Wgcs

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks