General

  • Target

    JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94

  • Size

    1020KB

  • Sample

    250411-1p8z9szzg1

  • MD5

    b00543b6e9ead74528eb07622f2f5c94

  • SHA1

    36310f1caec808d700c5f8147ebb1b6f60aee09a

  • SHA256

    075f8ff04a2ce29d55c82f2fabfa76187e0933b6b154614b45d5c5fdd41ed2a3

  • SHA512

    7f2937a25b363b139839cf491e7e9e2097ab5d469b3d8486aa23782b816fc63a7bd43f522c0fab1780dd80db32a0d5c84df635851ceb1f7d64bffc84e294bd4b

  • SSDEEP

    6144:YKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8O:YKr3QboC9qLGKgZKe4HYpHvcbTV

Malware Config

Targets

    • Target

      JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94

    • Size

      1020KB

    • MD5

      b00543b6e9ead74528eb07622f2f5c94

    • SHA1

      36310f1caec808d700c5f8147ebb1b6f60aee09a

    • SHA256

      075f8ff04a2ce29d55c82f2fabfa76187e0933b6b154614b45d5c5fdd41ed2a3

    • SHA512

      7f2937a25b363b139839cf491e7e9e2097ab5d469b3d8486aa23782b816fc63a7bd43f522c0fab1780dd80db32a0d5c84df635851ceb1f7d64bffc84e294bd4b

    • SSDEEP

      6144:YKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8O:YKr3QboC9qLGKgZKe4HYpHvcbTV

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks