General

  • Target

    JaffaCakes118_e3ab86d818924c7d27fc9a69ca9d2db6

  • Size

    560KB

  • Sample

    250502-1dpr9avvey

  • MD5

    e3ab86d818924c7d27fc9a69ca9d2db6

  • SHA1

    530d79d6c88438b81746a04a942448006d28fe17

  • SHA256

    c8f9bc894399352c68914314189d1e5a95f790dfd03f3af885fa17e6750cd251

  • SHA512

    54dbce4390cc6c003537f3156a0ba2c641247da511351fb233f022f0278b558e62954e03dd931c9c43b84b4d715c959c57a79eac314bb024302aa26a22b861d1

  • SSDEEP

    6144:/IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmQj:/IXsgtvm1De5YlOx6lzBH46U

Malware Config

Targets

    • Target

      JaffaCakes118_e3ab86d818924c7d27fc9a69ca9d2db6

    • Size

      560KB

    • MD5

      e3ab86d818924c7d27fc9a69ca9d2db6

    • SHA1

      530d79d6c88438b81746a04a942448006d28fe17

    • SHA256

      c8f9bc894399352c68914314189d1e5a95f790dfd03f3af885fa17e6750cd251

    • SHA512

      54dbce4390cc6c003537f3156a0ba2c641247da511351fb233f022f0278b558e62954e03dd931c9c43b84b4d715c959c57a79eac314bb024302aa26a22b861d1

    • SSDEEP

      6144:/IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmQj:/IXsgtvm1De5YlOx6lzBH46U

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks