General

  • Target

    JaffaCakes118_e3d58ef268559a0659453440d437c915

  • Size

    1016KB

  • Sample

    250503-mmn1es1tgt

  • MD5

    e3d58ef268559a0659453440d437c915

  • SHA1

    d939a4be450b1f3f0cf01063a09fa4be19e5b9a5

  • SHA256

    8169b543d5eaadd434642a60da4ac0a1322c73865867afb583b2ca01aa2b7ec8

  • SHA512

    36a36d878c9b71ee903fb8a6cb42ea8b3985daf5bb6802f14b44a94a78d2bc9930a4a4c00bbd84a0b24f5b4497b4602a2da1b98d336cf9e686733c51d8fb6bec

  • SSDEEP

    6144:EIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUgSef:EIXsgtvm1De5YlOx6lzBH46UMf

Malware Config

Targets

    • Target

      JaffaCakes118_e3d58ef268559a0659453440d437c915

    • Size

      1016KB

    • MD5

      e3d58ef268559a0659453440d437c915

    • SHA1

      d939a4be450b1f3f0cf01063a09fa4be19e5b9a5

    • SHA256

      8169b543d5eaadd434642a60da4ac0a1322c73865867afb583b2ca01aa2b7ec8

    • SHA512

      36a36d878c9b71ee903fb8a6cb42ea8b3985daf5bb6802f14b44a94a78d2bc9930a4a4c00bbd84a0b24f5b4497b4602a2da1b98d336cf9e686733c51d8fb6bec

    • SSDEEP

      6144:EIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUgSef:EIXsgtvm1De5YlOx6lzBH46UMf

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks