General

  • Target

    JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0

  • Size

    1016KB

  • Sample

    250415-n4j88stlv7

  • MD5

    b9c1a84350d1c4881dd1eac4ffb453b0

  • SHA1

    e2c094bbe105e9ced9c996c140f4fb1ae5f48585

  • SHA256

    19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4

  • SHA512

    4122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c

  • SSDEEP

    6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:KIXsgtvm1De5YlOx6lzBH46U

Malware Config

Targets

    • Target

      JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0

    • Size

      1016KB

    • MD5

      b9c1a84350d1c4881dd1eac4ffb453b0

    • SHA1

      e2c094bbe105e9ced9c996c140f4fb1ae5f48585

    • SHA256

      19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4

    • SHA512

      4122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c

    • SSDEEP

      6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:KIXsgtvm1De5YlOx6lzBH46U

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks