General

  • Target

    JaffaCakes118_d777f5349cd2674942fc66960cbdc580

  • Size

    516KB

  • Sample

    250424-vm19rasqv5

  • MD5

    d777f5349cd2674942fc66960cbdc580

  • SHA1

    9adddaf919369a95ce780e253f022ef77206d863

  • SHA256

    1c4fcff23a29745f4898a96751ebc60a54f24d887eb91c1c94eb0e8b91dfa288

  • SHA512

    d0b48c4c5f46eba6ff9bef57b9feb3c6a201e55ad3f86281c41f99898590d9efb52c65bba343373618265813f9ef6e725c4c71fc5083a669132dd384c62dc202

  • SSDEEP

    12288:4y6onxOp8FySpE5zvIdtU+YmefI4kNTqJ:Nwp8DozAdO921U

Malware Config

Targets

    • Target

      JaffaCakes118_d777f5349cd2674942fc66960cbdc580

    • Size

      516KB

    • MD5

      d777f5349cd2674942fc66960cbdc580

    • SHA1

      9adddaf919369a95ce780e253f022ef77206d863

    • SHA256

      1c4fcff23a29745f4898a96751ebc60a54f24d887eb91c1c94eb0e8b91dfa288

    • SHA512

      d0b48c4c5f46eba6ff9bef57b9feb3c6a201e55ad3f86281c41f99898590d9efb52c65bba343373618265813f9ef6e725c4c71fc5083a669132dd384c62dc202

    • SSDEEP

      12288:4y6onxOp8FySpE5zvIdtU+YmefI4kNTqJ:Nwp8DozAdO921U

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks