General

  • Target

    JaffaCakes118_e7cfcbe3ab8d4bce4c314153287152c7

  • Size

    532KB

  • Sample

    250504-ad9vbaszb1

  • MD5

    e7cfcbe3ab8d4bce4c314153287152c7

  • SHA1

    4a4e09ba4afdc33484e6dfb0c495c979740b3b26

  • SHA256

    4579fb72623b0b912926a83c720918ec4ec1ad8a14a1aadc02b5bef3fb138f15

  • SHA512

    2df17dda0a08fe5085c8f407ccc2f470f4c9516de756a79332352833240fc8958aaf606f880224096136d955d6748a627daeea1aba8eb70d821cb214946df30c

  • SSDEEP

    12288:qgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUytLpm1tT0:0xsKXa+hHyWseBgVtLpwR0

Malware Config

Targets

    • Target

      JaffaCakes118_e7cfcbe3ab8d4bce4c314153287152c7

    • Size

      532KB

    • MD5

      e7cfcbe3ab8d4bce4c314153287152c7

    • SHA1

      4a4e09ba4afdc33484e6dfb0c495c979740b3b26

    • SHA256

      4579fb72623b0b912926a83c720918ec4ec1ad8a14a1aadc02b5bef3fb138f15

    • SHA512

      2df17dda0a08fe5085c8f407ccc2f470f4c9516de756a79332352833240fc8958aaf606f880224096136d955d6748a627daeea1aba8eb70d821cb214946df30c

    • SSDEEP

      12288:qgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUytLpm1tT0:0xsKXa+hHyWseBgVtLpwR0

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks