General

  • Target

    JaffaCakes118_eb30f815afc3b5e286fb21baab66e0d0

  • Size

    600KB

  • Sample

    250504-nm23qacn4v

  • MD5

    eb30f815afc3b5e286fb21baab66e0d0

  • SHA1

    7c081eb7e307a0a90a5634ce5dad362e5061c21b

  • SHA256

    837d2a0d6a21e78229a45274c0a076a6cf99c83535ca9bb13b6a57e1b8332150

  • SHA512

    7430e0fa2fc2d2c58f852109f37b589c380711099f7d8b4aea7d48cd9c690d4ec0b673a340ea4d49c3d861ed272b0679202a4bd88b7a124b04a4aaa5ca9e9176

  • SSDEEP

    12288:l6onxOp8FySpE5zvIdtU+YmefaRfMMMMM2MMMMM:Lwp8DozAdO9aRfMMMMM2MMMMM

Malware Config

Targets

    • Target

      JaffaCakes118_eb30f815afc3b5e286fb21baab66e0d0

    • Size

      600KB

    • MD5

      eb30f815afc3b5e286fb21baab66e0d0

    • SHA1

      7c081eb7e307a0a90a5634ce5dad362e5061c21b

    • SHA256

      837d2a0d6a21e78229a45274c0a076a6cf99c83535ca9bb13b6a57e1b8332150

    • SHA512

      7430e0fa2fc2d2c58f852109f37b589c380711099f7d8b4aea7d48cd9c690d4ec0b673a340ea4d49c3d861ed272b0679202a4bd88b7a124b04a4aaa5ca9e9176

    • SSDEEP

      12288:l6onxOp8FySpE5zvIdtU+YmefaRfMMMMM2MMMMM:Lwp8DozAdO9aRfMMMMM2MMMMM

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks