General

  • Target

    JaffaCakes118_c940916a51510ded99612bd93114de0d

  • Size

    472KB

  • Sample

    250421-pkp6tattev

  • MD5

    c940916a51510ded99612bd93114de0d

  • SHA1

    af052d166386189ab6c14e8e49831b6459c42b5f

  • SHA256

    23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a

  • SHA512

    7981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1

  • SSDEEP

    6144:CIX6L0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUIoHb:CIX6gtvm1De5YlOx6lzBH46U5Hb

Malware Config

Targets

    • Target

      JaffaCakes118_c940916a51510ded99612bd93114de0d

    • Size

      472KB

    • MD5

      c940916a51510ded99612bd93114de0d

    • SHA1

      af052d166386189ab6c14e8e49831b6459c42b5f

    • SHA256

      23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a

    • SHA512

      7981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1

    • SSDEEP

      6144:CIX6L0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUIoHb:CIX6gtvm1De5YlOx6lzBH46U5Hb

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks