General

  • Target

    JaffaCakes118_ea9fc811b91973a13c63b190d002ebbd

  • Size

    476KB

  • Sample

    250504-lsgmvsak7w

  • MD5

    ea9fc811b91973a13c63b190d002ebbd

  • SHA1

    aae8d78523d0d0f3cd158b8de8f6126bc1cdc1da

  • SHA256

    3dc60726d80012ff95948766de4616818e54734adb2651b22880344ebed20fcc

  • SHA512

    dc3b69a0e1572ea03fedbaf4634fd897be94d1be639d8a6cf46e6510f96873c83809c2be8135fd9290df5f107f5debac714de9a6f28f185efec77f51b40a5ade

  • SSDEEP

    12288:tpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsT6:tpUNr6YkVRFkgbeqeo68FhqW6

Malware Config

Targets

    • Target

      JaffaCakes118_ea9fc811b91973a13c63b190d002ebbd

    • Size

      476KB

    • MD5

      ea9fc811b91973a13c63b190d002ebbd

    • SHA1

      aae8d78523d0d0f3cd158b8de8f6126bc1cdc1da

    • SHA256

      3dc60726d80012ff95948766de4616818e54734adb2651b22880344ebed20fcc

    • SHA512

      dc3b69a0e1572ea03fedbaf4634fd897be94d1be639d8a6cf46e6510f96873c83809c2be8135fd9290df5f107f5debac714de9a6f28f185efec77f51b40a5ade

    • SSDEEP

      12288:tpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsT6:tpUNr6YkVRFkgbeqeo68FhqW6

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks