General

  • Target

    JaffaCakes118_d149ebdd8f6cdf03b263d99bc14355ad

  • Size

    564KB

  • Sample

    250423-gcrqnsysay

  • MD5

    d149ebdd8f6cdf03b263d99bc14355ad

  • SHA1

    777820d42063126687be01f30fc279e972994c5f

  • SHA256

    32510832786c8c03e0f41c41e7f5de58f74e57ccfdacaae4468db0bd7a3dce15

  • SHA512

    2dbe97aa0e8ff49e40c5426d03f2211d7894d09ecb463341dc8ff213a7683de869f959a414fd4ae5ccf9f00d7c5dbd7a2812ab8207665da964a055f8ebf24ab9

  • SSDEEP

    12288:qpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsQg:qpUNr6YkVRFkgbeqeo68FhqR

Malware Config

Targets

    • Target

      JaffaCakes118_d149ebdd8f6cdf03b263d99bc14355ad

    • Size

      564KB

    • MD5

      d149ebdd8f6cdf03b263d99bc14355ad

    • SHA1

      777820d42063126687be01f30fc279e972994c5f

    • SHA256

      32510832786c8c03e0f41c41e7f5de58f74e57ccfdacaae4468db0bd7a3dce15

    • SHA512

      2dbe97aa0e8ff49e40c5426d03f2211d7894d09ecb463341dc8ff213a7683de869f959a414fd4ae5ccf9f00d7c5dbd7a2812ab8207665da964a055f8ebf24ab9

    • SSDEEP

      12288:qpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsQg:qpUNr6YkVRFkgbeqeo68FhqR

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks