General

  • Target

    JaffaCakes118_9e3c23b58548175e2abed12989fea7ff

  • Size

    812KB

  • Sample

    250407-hj84zavkx8

  • MD5

    9e3c23b58548175e2abed12989fea7ff

  • SHA1

    2a16c4b21b02db8b6ee024fc95f6c3da6d45d578

  • SHA256

    110412f2f3e3257b0e6bf514aa866903fd1968e661dbbd54ccf5faae0c12cb8f

  • SHA512

    4a957b433012c3819c7c3cbc33b9cf1dfc88b9c7dbf912d3262ee7a0372316ff3ff07cbcbb932587b4da03c64a8e09700ea89aa0590f625e03a6a51f2a2a07b6

  • SSDEEP

    12288:MgHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+YtZHuSfPuNKiOwHG:Aqmwjfz79iSJOUYtZOaUKiOwm

Malware Config

Targets

    • Target

      JaffaCakes118_9e3c23b58548175e2abed12989fea7ff

    • Size

      812KB

    • MD5

      9e3c23b58548175e2abed12989fea7ff

    • SHA1

      2a16c4b21b02db8b6ee024fc95f6c3da6d45d578

    • SHA256

      110412f2f3e3257b0e6bf514aa866903fd1968e661dbbd54ccf5faae0c12cb8f

    • SHA512

      4a957b433012c3819c7c3cbc33b9cf1dfc88b9c7dbf912d3262ee7a0372316ff3ff07cbcbb932587b4da03c64a8e09700ea89aa0590f625e03a6a51f2a2a07b6

    • SSDEEP

      12288:MgHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+YtZHuSfPuNKiOwHG:Aqmwjfz79iSJOUYtZOaUKiOwm

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks