General

  • Target

    JaffaCakes118_a6bb590cd15bbc1f6ea3f0a7ea673c93

  • Size

    548KB

  • Sample

    250409-zhn6va11dy

  • MD5

    a6bb590cd15bbc1f6ea3f0a7ea673c93

  • SHA1

    6c54fe3d46a354da4f0e7c16f10df230eed574b8

  • SHA256

    47b0c68c97a03bd0a32d47e9f3b220078bf78d693b1ea661a29b8f8e13f4124d

  • SHA512

    20bd10da58b885444164bfd4aaa991e964058c3bcb9306e71c9a20622d560e5784c6fa2f02b649c9cd6cce4426868e22ed96d8a5060b46c35c78432437299dd8

  • SSDEEP

    6144:aKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8I:aKr3QboC9qLGKgZKe4HYpHvcbTC

Malware Config

Targets

    • Target

      JaffaCakes118_a6bb590cd15bbc1f6ea3f0a7ea673c93

    • Size

      548KB

    • MD5

      a6bb590cd15bbc1f6ea3f0a7ea673c93

    • SHA1

      6c54fe3d46a354da4f0e7c16f10df230eed574b8

    • SHA256

      47b0c68c97a03bd0a32d47e9f3b220078bf78d693b1ea661a29b8f8e13f4124d

    • SHA512

      20bd10da58b885444164bfd4aaa991e964058c3bcb9306e71c9a20622d560e5784c6fa2f02b649c9cd6cce4426868e22ed96d8a5060b46c35c78432437299dd8

    • SSDEEP

      6144:aKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8I:aKr3QboC9qLGKgZKe4HYpHvcbTC

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks