General

  • Target

    JaffaCakes118_eaf1a52fc96dcb5fccf466c465549382

  • Size

    556KB

  • Sample

    250504-mtardabn4t

  • MD5

    eaf1a52fc96dcb5fccf466c465549382

  • SHA1

    9f9400463c02833e0d7b3c371b969690c469e57f

  • SHA256

    4a5dc0a8527388a5a96838556e49988c8e40a511e2f8ac3b19fd7db7fecfc92c

  • SHA512

    e5141958cc81002d7fa1fd55e20a9f94107068b3278d574b5c70685ed83bf02363372affd6b609acf77cd894e2258fccfc6ad95c208e3f4a7440c28a9e3afe51

  • SSDEEP

    6144:Yxj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:Y6onxOp8FySpE5zvIdtU+Ymef

Malware Config

Targets

    • Target

      JaffaCakes118_eaf1a52fc96dcb5fccf466c465549382

    • Size

      556KB

    • MD5

      eaf1a52fc96dcb5fccf466c465549382

    • SHA1

      9f9400463c02833e0d7b3c371b969690c469e57f

    • SHA256

      4a5dc0a8527388a5a96838556e49988c8e40a511e2f8ac3b19fd7db7fecfc92c

    • SHA512

      e5141958cc81002d7fa1fd55e20a9f94107068b3278d574b5c70685ed83bf02363372affd6b609acf77cd894e2258fccfc6ad95c208e3f4a7440c28a9e3afe51

    • SSDEEP

      6144:Yxj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:Y6onxOp8FySpE5zvIdtU+Ymef

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks