General

  • Target

    JaffaCakes118_d144c0efbc23a3f0909539318e69e0e3

  • Size

    624KB

  • Sample

    250423-f8axcsxzgv

  • MD5

    d144c0efbc23a3f0909539318e69e0e3

  • SHA1

    24cf753a5c0d0e120cf5c5d27d989898e084cf9c

  • SHA256

    cd95261ea21f20e835255a2beeabd6c67672c2e77fb23c2a2e9be78663d4fc8a

  • SHA512

    f20451437f9888a6bb8a786105f022bff0647b59e468acdbed352a22259e3fb2cc9e1f94784ac982106078576a5ef028b5b507750cd184faed3c87ada969da96

  • SSDEEP

    12288:3pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsYI:3pUNr6YkVRFkgbeqeo68Fhq5I

Malware Config

Targets

    • Target

      JaffaCakes118_d144c0efbc23a3f0909539318e69e0e3

    • Size

      624KB

    • MD5

      d144c0efbc23a3f0909539318e69e0e3

    • SHA1

      24cf753a5c0d0e120cf5c5d27d989898e084cf9c

    • SHA256

      cd95261ea21f20e835255a2beeabd6c67672c2e77fb23c2a2e9be78663d4fc8a

    • SHA512

      f20451437f9888a6bb8a786105f022bff0647b59e468acdbed352a22259e3fb2cc9e1f94784ac982106078576a5ef028b5b507750cd184faed3c87ada969da96

    • SSDEEP

      12288:3pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsYI:3pUNr6YkVRFkgbeqeo68Fhq5I

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks