General

  • Target

    JaffaCakes118_e3b62cf5c8b5ac5851b57f57a540ebe6

  • Size

    556KB

  • Sample

    250502-1jlmsahr7y

  • MD5

    e3b62cf5c8b5ac5851b57f57a540ebe6

  • SHA1

    39f383139a1adf8daeb451f9a5e2346325a600ea

  • SHA256

    578d921dbd8c8f42b55f7b87d4111524ceb0b0677217dfbeb726229864067547

  • SHA512

    4372cc57d182d18963d487b8be6700001745192f63d25299c0ac7896ea0669acb31d332719613e1b0a4a0607e9aaee05c9d8c4de238abc95d7e3f39ec985ed1f

  • SSDEEP

    6144:qj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionRLd:46onxOp8FySpE5zvIdtU+YmefVd

Malware Config

Targets

    • Target

      JaffaCakes118_e3b62cf5c8b5ac5851b57f57a540ebe6

    • Size

      556KB

    • MD5

      e3b62cf5c8b5ac5851b57f57a540ebe6

    • SHA1

      39f383139a1adf8daeb451f9a5e2346325a600ea

    • SHA256

      578d921dbd8c8f42b55f7b87d4111524ceb0b0677217dfbeb726229864067547

    • SHA512

      4372cc57d182d18963d487b8be6700001745192f63d25299c0ac7896ea0669acb31d332719613e1b0a4a0607e9aaee05c9d8c4de238abc95d7e3f39ec985ed1f

    • SSDEEP

      6144:qj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionRLd:46onxOp8FySpE5zvIdtU+YmefVd

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks