General

  • Target

    JaffaCakes118_e81e9661ae6ef2c2cc1bf1162dff385c

  • Size

    564KB

  • Sample

    250504-bfqpwshj5x

  • MD5

    e81e9661ae6ef2c2cc1bf1162dff385c

  • SHA1

    261afeaded4c77690800f2f4c7c1ceddd6e70f2a

  • SHA256

    9aaddf55f0c6dd8cd2452ce564f7f373037c71d204a77c1230f16039f26ffbfd

  • SHA512

    5f696f3278c4a05528e8f3088c1d62063ed4b41db41b4a25267bf9c6a6ae75cf659bac8645416b2d5c8ad181a4c284a0ad2c50e079080904b2e258cbc045f951

  • SSDEEP

    6144:0KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8:0Kr3QboC9qLGKgZKe4HYpHvcbT

Malware Config

Targets

    • Target

      JaffaCakes118_e81e9661ae6ef2c2cc1bf1162dff385c

    • Size

      564KB

    • MD5

      e81e9661ae6ef2c2cc1bf1162dff385c

    • SHA1

      261afeaded4c77690800f2f4c7c1ceddd6e70f2a

    • SHA256

      9aaddf55f0c6dd8cd2452ce564f7f373037c71d204a77c1230f16039f26ffbfd

    • SHA512

      5f696f3278c4a05528e8f3088c1d62063ed4b41db41b4a25267bf9c6a6ae75cf659bac8645416b2d5c8ad181a4c284a0ad2c50e079080904b2e258cbc045f951

    • SSDEEP

      6144:0KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8:0Kr3QboC9qLGKgZKe4HYpHvcbT

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks