General

  • Target

    JaffaCakes118_a7f97249fa2b28f61a661d6fdf7279bc

  • Size

    896KB

  • Sample

    250410-c6gqcaynz4

  • MD5

    a7f97249fa2b28f61a661d6fdf7279bc

  • SHA1

    a5dd2dd2616bc20679ef902f7f45cdbcb990aa06

  • SHA256

    253777944557b0e9330b3ff2cf2de4fa51a0bc549e81e8ab3cd57c8f97fb51b5

  • SHA512

    0c82b444939bf7bc1c40dfaf445c0a2c13d2b05faa3f4a0ead9a9c7c2cf4223dd15b3d579471510ae7f57c933df46dad3fa0de6eac27a1c9c0afc19d4e62e94b

  • SSDEEP

    12288:M6onxOp8FySpE5zvIdtU+Ymefwj09jApWCmnkw5Q9hBTfX/GpaJZ:wwp8DozAdO9hNApyQhO0L

Malware Config

Targets

    • Target

      JaffaCakes118_a7f97249fa2b28f61a661d6fdf7279bc

    • Size

      896KB

    • MD5

      a7f97249fa2b28f61a661d6fdf7279bc

    • SHA1

      a5dd2dd2616bc20679ef902f7f45cdbcb990aa06

    • SHA256

      253777944557b0e9330b3ff2cf2de4fa51a0bc549e81e8ab3cd57c8f97fb51b5

    • SHA512

      0c82b444939bf7bc1c40dfaf445c0a2c13d2b05faa3f4a0ead9a9c7c2cf4223dd15b3d579471510ae7f57c933df46dad3fa0de6eac27a1c9c0afc19d4e62e94b

    • SSDEEP

      12288:M6onxOp8FySpE5zvIdtU+Ymefwj09jApWCmnkw5Q9hBTfX/GpaJZ:wwp8DozAdO9hNApyQhO0L

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks