General

  • Target

    JaffaCakes118_e51bd5a5e61605ab26ccddc420bace46

  • Size

    540KB

  • Sample

    250503-r8fndsvtdx

  • MD5

    e51bd5a5e61605ab26ccddc420bace46

  • SHA1

    f8a273ebf38091094ac2d453b3b5440f97b209ce

  • SHA256

    325130abfb55b5d44cbecd6c708298627c5e89398492ee54c0ddbb942fd01bcd

  • SHA512

    e7ee4b210b786935686539f566b1da00af73a041ddfd08eba7166336d9f27b434660e57f3a0e9e23ebcca6d1e4e0f21d7cb81c06bc44e32444464433df21f64a

  • SSDEEP

    12288:epUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqso:epUNr6YkVRFkgbeqeo68Fhq

Malware Config

Targets

    • Target

      JaffaCakes118_e51bd5a5e61605ab26ccddc420bace46

    • Size

      540KB

    • MD5

      e51bd5a5e61605ab26ccddc420bace46

    • SHA1

      f8a273ebf38091094ac2d453b3b5440f97b209ce

    • SHA256

      325130abfb55b5d44cbecd6c708298627c5e89398492ee54c0ddbb942fd01bcd

    • SHA512

      e7ee4b210b786935686539f566b1da00af73a041ddfd08eba7166336d9f27b434660e57f3a0e9e23ebcca6d1e4e0f21d7cb81c06bc44e32444464433df21f64a

    • SSDEEP

      12288:epUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqso:epUNr6YkVRFkgbeqeo68Fhq

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks