General

  • Target

    JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1

  • Size

    968KB

  • Sample

    250418-a3x7tayqx8

  • MD5

    bbd7b871140426c0f77e65b9c18dbcf1

  • SHA1

    f107fdc5b346882994efb09ba63b85e696679e4d

  • SHA256

    2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b

  • SHA512

    c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322

  • SSDEEP

    12288:/pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0yDYilDLvxtJzzxHs0oPYJaf4Db:/pUNr6YkVRFkgbeqeo68FhqsnvzKT+

Malware Config

Targets

    • Target

      JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1

    • Size

      968KB

    • MD5

      bbd7b871140426c0f77e65b9c18dbcf1

    • SHA1

      f107fdc5b346882994efb09ba63b85e696679e4d

    • SHA256

      2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b

    • SHA512

      c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322

    • SSDEEP

      12288:/pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0yDYilDLvxtJzzxHs0oPYJaf4Db:/pUNr6YkVRFkgbeqeo68FhqsnvzKT+

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks