General

  • Target

    JaffaCakes118_ea7c5ce8c09facd3b6bb5a1e4c397dd7

  • Size

    548KB

  • Sample

    250504-lbkceshq2x

  • MD5

    ea7c5ce8c09facd3b6bb5a1e4c397dd7

  • SHA1

    1063e786b45329749388c968a52a3b4670e59d2e

  • SHA256

    f104542973c41a24667ab59496442ad3a5cb7c0c7f6b895089cf43d6f4fe83fb

  • SHA512

    b24f9aeab0e4e2833c3767e953ea2c16d0afd67db00d4a6881424918bef11e4da979511fa18061ff8f43b03537a350995be64eb9251e86da13616872fdfcd03e

  • SSDEEP

    12288:J6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgWgho+5:qvdezCByqTtlMQsFuqzRbzI7IVQ5

Malware Config

Targets

    • Target

      JaffaCakes118_ea7c5ce8c09facd3b6bb5a1e4c397dd7

    • Size

      548KB

    • MD5

      ea7c5ce8c09facd3b6bb5a1e4c397dd7

    • SHA1

      1063e786b45329749388c968a52a3b4670e59d2e

    • SHA256

      f104542973c41a24667ab59496442ad3a5cb7c0c7f6b895089cf43d6f4fe83fb

    • SHA512

      b24f9aeab0e4e2833c3767e953ea2c16d0afd67db00d4a6881424918bef11e4da979511fa18061ff8f43b03537a350995be64eb9251e86da13616872fdfcd03e

    • SSDEEP

      12288:J6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgWgho+5:qvdezCByqTtlMQsFuqzRbzI7IVQ5

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks