General

  • Target

    JaffaCakes118_eaa6ce147036f1bf791d4ba6b28a825b

  • Size

    556KB

  • Sample

    250504-lv7l3aal6s

  • MD5

    eaa6ce147036f1bf791d4ba6b28a825b

  • SHA1

    82b1590ef084ffdfa517ef53503c1cb1f9cd6d66

  • SHA256

    399d126766aee48deab0db3c6c69e76b9aa7b14107f677a5db1baba67594a772

  • SHA512

    fca9c127bcb1784589d7ec0a1acedd51f6dfb2e63ba8f9ed1623b7ded3deda2d5512953004b4d0c777d3105746c5f8f07441e13866341f4379bcb70f9ece90cc

  • SSDEEP

    6144:Ij6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:66onxOp8FySpE5zvIdtU+Ymef

Malware Config

Targets

    • Target

      JaffaCakes118_eaa6ce147036f1bf791d4ba6b28a825b

    • Size

      556KB

    • MD5

      eaa6ce147036f1bf791d4ba6b28a825b

    • SHA1

      82b1590ef084ffdfa517ef53503c1cb1f9cd6d66

    • SHA256

      399d126766aee48deab0db3c6c69e76b9aa7b14107f677a5db1baba67594a772

    • SHA512

      fca9c127bcb1784589d7ec0a1acedd51f6dfb2e63ba8f9ed1623b7ded3deda2d5512953004b4d0c777d3105746c5f8f07441e13866341f4379bcb70f9ece90cc

    • SSDEEP

      6144:Ij6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:66onxOp8FySpE5zvIdtU+Ymef

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks