General

  • Target

    JaffaCakes118_df3ba21999764a84d78789854a6b04d5

  • Size

    576KB

  • Sample

    250428-rpqdgsytdt

  • MD5

    df3ba21999764a84d78789854a6b04d5

  • SHA1

    42cba299d2e82b75c50cd24aa5fb73862f892cc4

  • SHA256

    4c9d5484415359fa6a9dd1a43d9a1250ff9f4fe038329486fb44d35d4a568aa8

  • SHA512

    75a5cd41ec5befd038b23f7deaca3629430ad3e80677b2bd278e08073a203fa867b3d862d4680e64d5f1844428c4a4d97b7c921ee27137ddbabb6d79f1b508a3

  • SSDEEP

    6144:LIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUFdbjMMqc:LIXsgtvm1De5YlOx6lzBH46U73MMq

Malware Config

Targets

    • Target

      JaffaCakes118_df3ba21999764a84d78789854a6b04d5

    • Size

      576KB

    • MD5

      df3ba21999764a84d78789854a6b04d5

    • SHA1

      42cba299d2e82b75c50cd24aa5fb73862f892cc4

    • SHA256

      4c9d5484415359fa6a9dd1a43d9a1250ff9f4fe038329486fb44d35d4a568aa8

    • SHA512

      75a5cd41ec5befd038b23f7deaca3629430ad3e80677b2bd278e08073a203fa867b3d862d4680e64d5f1844428c4a4d97b7c921ee27137ddbabb6d79f1b508a3

    • SSDEEP

      6144:LIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUFdbjMMqc:LIXsgtvm1De5YlOx6lzBH46U73MMq

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks