General

  • Target

    JaffaCakes118_a68c161fef4b2d8628e484725608c32a

  • Size

    472KB

  • Sample

    250409-yppkhs1tbx

  • MD5

    a68c161fef4b2d8628e484725608c32a

  • SHA1

    9a2d09040cba8c35310cc74018fcf3c6e3b30367

  • SHA256

    d87db55477a0f36b5c94e16d8f60ac79745be3d58cc77db6be405e8e4afb911c

  • SHA512

    0bd8b1d3ffd40d8b47ea46f802ed28242e981376c16b2a74113b42eb56d38eafe45e8604b26866dd4e70d23172d7f4d78ad1e3b2997bdbf448b1ff5e127a0cef

  • SSDEEP

    6144:38X8RUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU0p+:MsRy+ZyYpaCDJFuPyAHcqrUT

Malware Config

Targets

    • Target

      JaffaCakes118_a68c161fef4b2d8628e484725608c32a

    • Size

      472KB

    • MD5

      a68c161fef4b2d8628e484725608c32a

    • SHA1

      9a2d09040cba8c35310cc74018fcf3c6e3b30367

    • SHA256

      d87db55477a0f36b5c94e16d8f60ac79745be3d58cc77db6be405e8e4afb911c

    • SHA512

      0bd8b1d3ffd40d8b47ea46f802ed28242e981376c16b2a74113b42eb56d38eafe45e8604b26866dd4e70d23172d7f4d78ad1e3b2997bdbf448b1ff5e127a0cef

    • SSDEEP

      6144:38X8RUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU0p+:MsRy+ZyYpaCDJFuPyAHcqrUT

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks