General

  • Target

    JaffaCakes118_da844eebfec0ddcb5a9034f0aeb10838

  • Size

    564KB

  • Sample

    250427-2zp6kstsct

  • MD5

    da844eebfec0ddcb5a9034f0aeb10838

  • SHA1

    f76eb50864a0ecbbdbb5a016f3663f42a24e5af3

  • SHA256

    9af01475a31bd82f4dc99d8c82aeff77dee3b14093a710be608e32cad8eff8a5

  • SHA512

    49dc3faf52c7efb78018965e66842d9e9f9270872e74ad673987a390a0981f661a3ed2cc78fab1322b45e53f336fc8c9c2ca5b89968c7dc29a9ccee43c708aaf

  • SSDEEP

    12288:EpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqss:EpUNr6YkVRFkgbeqeo68Fhq

Malware Config

Targets

    • Target

      JaffaCakes118_da844eebfec0ddcb5a9034f0aeb10838

    • Size

      564KB

    • MD5

      da844eebfec0ddcb5a9034f0aeb10838

    • SHA1

      f76eb50864a0ecbbdbb5a016f3663f42a24e5af3

    • SHA256

      9af01475a31bd82f4dc99d8c82aeff77dee3b14093a710be608e32cad8eff8a5

    • SHA512

      49dc3faf52c7efb78018965e66842d9e9f9270872e74ad673987a390a0981f661a3ed2cc78fab1322b45e53f336fc8c9c2ca5b89968c7dc29a9ccee43c708aaf

    • SSDEEP

      12288:EpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqss:EpUNr6YkVRFkgbeqeo68Fhq

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks