General

  • Target

    JaffaCakes118_b74f8691313be0c724b71d356c4b9b40

  • Size

    1016KB

  • Sample

    250414-lw55mawvay

  • MD5

    b74f8691313be0c724b71d356c4b9b40

  • SHA1

    a204d8d3fb87e6de59c77498fc9a0ed9bd50d214

  • SHA256

    084500d412b1e0afe88f92170791f9045e76c35c1bf57b9e912aaab2bcd1ff6d

  • SHA512

    be13201bf5c29b776c4d259166ccbbfabee4213aa698c25b77b430a66faf02c0af6cf693bf3ea585d49a3db1cad349769486ad0b7351c58bdb123faf3b33012a

  • SSDEEP

    6144:0IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:0IXsgtvm1De5YlOx6lzBH46Uzf7lXUW

Malware Config

Targets

    • Target

      JaffaCakes118_b74f8691313be0c724b71d356c4b9b40

    • Size

      1016KB

    • MD5

      b74f8691313be0c724b71d356c4b9b40

    • SHA1

      a204d8d3fb87e6de59c77498fc9a0ed9bd50d214

    • SHA256

      084500d412b1e0afe88f92170791f9045e76c35c1bf57b9e912aaab2bcd1ff6d

    • SHA512

      be13201bf5c29b776c4d259166ccbbfabee4213aa698c25b77b430a66faf02c0af6cf693bf3ea585d49a3db1cad349769486ad0b7351c58bdb123faf3b33012a

    • SSDEEP

      6144:0IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:0IXsgtvm1De5YlOx6lzBH46Uzf7lXUW

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks