General

  • Target

    JaffaCakes118_e3bf592451146cacc44ce4b3288e7ed6

  • Size

    964KB

  • Sample

    250503-ma3m2sgp6w

  • MD5

    e3bf592451146cacc44ce4b3288e7ed6

  • SHA1

    70e5c489ac437b80953f1a4095b89e845ccc24a6

  • SHA256

    ec3581c4cfad9aef9754dbf3e30156d6b557b3eadacbd8ba40b70db129396470

  • SHA512

    3b628dab009747de2db49212f337cd775b747946c0928d2e304cda9c0a55a51d18a62027e966d4205aa13671a5aaf30c8db70cc0b51e3de4fcf60efee50719f9

  • SSDEEP

    12288:VYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:VY2w+tOwuMCeEOPp83

Malware Config

Targets

    • Target

      JaffaCakes118_e3bf592451146cacc44ce4b3288e7ed6

    • Size

      964KB

    • MD5

      e3bf592451146cacc44ce4b3288e7ed6

    • SHA1

      70e5c489ac437b80953f1a4095b89e845ccc24a6

    • SHA256

      ec3581c4cfad9aef9754dbf3e30156d6b557b3eadacbd8ba40b70db129396470

    • SHA512

      3b628dab009747de2db49212f337cd775b747946c0928d2e304cda9c0a55a51d18a62027e966d4205aa13671a5aaf30c8db70cc0b51e3de4fcf60efee50719f9

    • SSDEEP

      12288:VYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:VY2w+tOwuMCeEOPp83

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks