General

  • Target

    JaffaCakes118_eb2272414532effe7c85804939522d72

  • Size

    492KB

  • Sample

    250504-nfbl7acl4t

  • MD5

    eb2272414532effe7c85804939522d72

  • SHA1

    b0c3d2c385e7cbd86476ce7a56551758c50500d9

  • SHA256

    99f7570efa743f6bcbf307032eed35995affb8619e4e163fab6a8223f4a838a9

  • SHA512

    496bc100c2e2adafcff8bc49038e087176d46ac05d65b89e7a7420114ce73e8006afac33f1a7783ae9b55382ed6d72d2993bd6062d1af68abe79c988df3e934a

  • SSDEEP

    12288:G6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgU:fvdezCByqTtlMQsFuqzRbzI7IR

Malware Config

Targets

    • Target

      JaffaCakes118_eb2272414532effe7c85804939522d72

    • Size

      492KB

    • MD5

      eb2272414532effe7c85804939522d72

    • SHA1

      b0c3d2c385e7cbd86476ce7a56551758c50500d9

    • SHA256

      99f7570efa743f6bcbf307032eed35995affb8619e4e163fab6a8223f4a838a9

    • SHA512

      496bc100c2e2adafcff8bc49038e087176d46ac05d65b89e7a7420114ce73e8006afac33f1a7783ae9b55382ed6d72d2993bd6062d1af68abe79c988df3e934a

    • SSDEEP

      12288:G6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgU:fvdezCByqTtlMQsFuqzRbzI7IR

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks