General

  • Target

    JaffaCakes118_e16a91a44c53b6910928c112179d4298

  • Size

    824KB

  • Sample

    250429-wrfpaawm19

  • MD5

    e16a91a44c53b6910928c112179d4298

  • SHA1

    1ea3f82f655090230b49808d555bf9a4168bdff7

  • SHA256

    8ca08a779bd20e55136bdb46d4791d0d5ada02d473fbe005a31b1aba3a021f3b

  • SHA512

    75b77b8adb832b46cf6f2d1d881babe13b102de9671e16d541750466f885b717ed8b7cfaf51a2bc96ec89aad69c1a23898387b71d12098705ee3032a96658585

  • SSDEEP

    12288:XpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsG6E1x:XpUNr6YkVRFkgbeqeo68FhqX1x

Malware Config

Targets

    • Target

      JaffaCakes118_e16a91a44c53b6910928c112179d4298

    • Size

      824KB

    • MD5

      e16a91a44c53b6910928c112179d4298

    • SHA1

      1ea3f82f655090230b49808d555bf9a4168bdff7

    • SHA256

      8ca08a779bd20e55136bdb46d4791d0d5ada02d473fbe005a31b1aba3a021f3b

    • SHA512

      75b77b8adb832b46cf6f2d1d881babe13b102de9671e16d541750466f885b717ed8b7cfaf51a2bc96ec89aad69c1a23898387b71d12098705ee3032a96658585

    • SSDEEP

      12288:XpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsG6E1x:XpUNr6YkVRFkgbeqeo68FhqX1x

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks