General

  • Target

    JaffaCakes118_e61841993fbade2b0d887c5835440023

  • Size

    504KB

  • Sample

    250503-ww1v1szpt3

  • MD5

    e61841993fbade2b0d887c5835440023

  • SHA1

    b9e27e475c006851666a8ec2d6497709b0e6255a

  • SHA256

    2351b8bfefd6579c2d21b9eedf8c50140c71d3a05e07933523d6812922af60fc

  • SHA512

    a77417d5abb49cff89db54e68dcd77e815412bb704752b5872bc8032a6ce6e1a523e4f51c8b2fa7413d0e9363c91db0eabeb6635ae51a9d01040204dabd104a3

  • SSDEEP

    6144:bj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionThsK:f6onxOp8FySpE5zvIdtU+YmefZsK

Malware Config

Targets

    • Target

      JaffaCakes118_e61841993fbade2b0d887c5835440023

    • Size

      504KB

    • MD5

      e61841993fbade2b0d887c5835440023

    • SHA1

      b9e27e475c006851666a8ec2d6497709b0e6255a

    • SHA256

      2351b8bfefd6579c2d21b9eedf8c50140c71d3a05e07933523d6812922af60fc

    • SHA512

      a77417d5abb49cff89db54e68dcd77e815412bb704752b5872bc8032a6ce6e1a523e4f51c8b2fa7413d0e9363c91db0eabeb6635ae51a9d01040204dabd104a3

    • SSDEEP

      6144:bj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionThsK:f6onxOp8FySpE5zvIdtU+YmefZsK

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks