General

  • Target

    JaffaCakes118_de201b27f393d06240b3c14dc7d43e3d

  • Size

    464KB

  • Sample

    250428-mpj49aswfz

  • MD5

    de201b27f393d06240b3c14dc7d43e3d

  • SHA1

    661d249c6f46a85958c3af13458c3f42666d7621

  • SHA256

    332a36217af84582eb0f36d841976508c1ccb7fcd638e90684d50b5763b9f617

  • SHA512

    5bbf39ea2136054ae3d817d5d3b1a86a9a3481b4a8ebee5a347be0ff36e1f86b825ba15369e92c2771e6190aa230d9ce78bfcb75282e5466208d08f2c3aa24ee

  • SSDEEP

    6144:Bj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdriong:x6onxOp8FySpE5zvIdtU+Ymefs

Malware Config

Targets

    • Target

      JaffaCakes118_de201b27f393d06240b3c14dc7d43e3d

    • Size

      464KB

    • MD5

      de201b27f393d06240b3c14dc7d43e3d

    • SHA1

      661d249c6f46a85958c3af13458c3f42666d7621

    • SHA256

      332a36217af84582eb0f36d841976508c1ccb7fcd638e90684d50b5763b9f617

    • SHA512

      5bbf39ea2136054ae3d817d5d3b1a86a9a3481b4a8ebee5a347be0ff36e1f86b825ba15369e92c2771e6190aa230d9ce78bfcb75282e5466208d08f2c3aa24ee

    • SSDEEP

      6144:Bj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdriong:x6onxOp8FySpE5zvIdtU+Ymefs

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks