General

  • Target

    JaffaCakes118_de7ea5f8531ff739ef16ff84627e12e4

  • Size

    1020KB

  • Sample

    250428-nzlaqsvsbz

  • MD5

    de7ea5f8531ff739ef16ff84627e12e4

  • SHA1

    8eb08ba86fe5443a0618aa89758406c8696f9ca6

  • SHA256

    52ea5ce70986e3d6451f7bcf724216e2dbc95bf44f0264df2517b8cb39f946c7

  • SHA512

    6cb040cf49e88bb55d42609a09a4f07ae2fb4b78c6d2de990f66121d9ffa652f1c7106057c0d37e50ff31acb22aeef99cf86410bab7e407ccaf9c9d6d7b86989

  • SSDEEP

    12288:I0Kr3QboC9qLGKgZKe4HYpHvcbTa7rGNrkty0fkhAlmvHRVg:BQ3QbiGL8LwHdErmyFAeHQ

Malware Config

Targets

    • Target

      JaffaCakes118_de7ea5f8531ff739ef16ff84627e12e4

    • Size

      1020KB

    • MD5

      de7ea5f8531ff739ef16ff84627e12e4

    • SHA1

      8eb08ba86fe5443a0618aa89758406c8696f9ca6

    • SHA256

      52ea5ce70986e3d6451f7bcf724216e2dbc95bf44f0264df2517b8cb39f946c7

    • SHA512

      6cb040cf49e88bb55d42609a09a4f07ae2fb4b78c6d2de990f66121d9ffa652f1c7106057c0d37e50ff31acb22aeef99cf86410bab7e407ccaf9c9d6d7b86989

    • SSDEEP

      12288:I0Kr3QboC9qLGKgZKe4HYpHvcbTa7rGNrkty0fkhAlmvHRVg:BQ3QbiGL8LwHdErmyFAeHQ

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks