General

  • Target

    JaffaCakes118_a2a7aad6763626e854a3f14bf347be66

  • Size

    560KB

  • Sample

    250409-b4fvlawnw7

  • MD5

    a2a7aad6763626e854a3f14bf347be66

  • SHA1

    e5b3e6fd3c7ed533beeac99f2a0f9c6fb876b1d2

  • SHA256

    57ce6e0285c48145146faf01afc67b06ea8d57eab327300b7888e5312c3a64f0

  • SHA512

    09c2ba0f72bd892d9a25a6c241c52e495f2a3108be17a88ee2644f179d0e242126f17cd7fe3c95f5a25ccb4f2f1b7a83923e25c148c593cb7158fa3cf6491728

  • SSDEEP

    6144:5IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUG64KV:5IXsgtvm1De5YlOx6lzBH46UG6NV

Malware Config

Targets

    • Target

      JaffaCakes118_a2a7aad6763626e854a3f14bf347be66

    • Size

      560KB

    • MD5

      a2a7aad6763626e854a3f14bf347be66

    • SHA1

      e5b3e6fd3c7ed533beeac99f2a0f9c6fb876b1d2

    • SHA256

      57ce6e0285c48145146faf01afc67b06ea8d57eab327300b7888e5312c3a64f0

    • SHA512

      09c2ba0f72bd892d9a25a6c241c52e495f2a3108be17a88ee2644f179d0e242126f17cd7fe3c95f5a25ccb4f2f1b7a83923e25c148c593cb7158fa3cf6491728

    • SSDEEP

      6144:5IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUG64KV:5IXsgtvm1De5YlOx6lzBH46UG6NV

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks