General

  • Target

    JaffaCakes118_df630dd42dd24f85498598dd459723f4

  • Size

    760KB

  • Sample

    250428-r91pyssls2

  • MD5

    df630dd42dd24f85498598dd459723f4

  • SHA1

    69e45acda2965b9057c5fc88a9a4c8a1bc6cce4d

  • SHA256

    69e6d12ecc224641c5f69fee13f75b4c7fb80531805ec159cc39c4dc1aafb210

  • SHA512

    14f8f3f9405335a0476852d7aa0c74bec03a4b9d998e9cd88697f7e392b4ac774565d795da4feb1ebc30498cb185d0d1ceb3b4f48e4369a22ac651e0dc4b70ea

  • SSDEEP

    12288:QF6onxOp8FySpE5zvIdtU+YmefOaJMWf1h27bNlGJ8:Gwp8DozAdO9Oa/f1h2PGK

Malware Config

Targets

    • Target

      JaffaCakes118_df630dd42dd24f85498598dd459723f4

    • Size

      760KB

    • MD5

      df630dd42dd24f85498598dd459723f4

    • SHA1

      69e45acda2965b9057c5fc88a9a4c8a1bc6cce4d

    • SHA256

      69e6d12ecc224641c5f69fee13f75b4c7fb80531805ec159cc39c4dc1aafb210

    • SHA512

      14f8f3f9405335a0476852d7aa0c74bec03a4b9d998e9cd88697f7e392b4ac774565d795da4feb1ebc30498cb185d0d1ceb3b4f48e4369a22ac651e0dc4b70ea

    • SSDEEP

      12288:QF6onxOp8FySpE5zvIdtU+YmefOaJMWf1h27bNlGJ8:Gwp8DozAdO9Oa/f1h2PGK

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks