General

  • Target

    JaffaCakes118_eb3f578f72df6a4234e5e4f55050c66c

  • Size

    644KB

  • Sample

    250504-nvgrravlw3

  • MD5

    eb3f578f72df6a4234e5e4f55050c66c

  • SHA1

    2e0df68ba7ac215c6ccae2af569d22c24604c50d

  • SHA256

    1aab93c231ce9fc4727da3e7397f9ca5faa287a0d46b733d508f5a12ea11ddfa

  • SHA512

    c9cc3dfbba9dd1a2749e861d356af3b5247322e786f4f478797489e527569f68c42d0b4050aa531092e92d5e905ea28d4f7bbf21f915d0862ae405dd22775cd5

  • SSDEEP

    12288:T6onxOp8FySpE5zvIdtU+YmefT9/mqOplf2AQNWxgqFjj:pwp8DozAdO98fplf2MJ

Malware Config

Targets

    • Target

      JaffaCakes118_eb3f578f72df6a4234e5e4f55050c66c

    • Size

      644KB

    • MD5

      eb3f578f72df6a4234e5e4f55050c66c

    • SHA1

      2e0df68ba7ac215c6ccae2af569d22c24604c50d

    • SHA256

      1aab93c231ce9fc4727da3e7397f9ca5faa287a0d46b733d508f5a12ea11ddfa

    • SHA512

      c9cc3dfbba9dd1a2749e861d356af3b5247322e786f4f478797489e527569f68c42d0b4050aa531092e92d5e905ea28d4f7bbf21f915d0862ae405dd22775cd5

    • SSDEEP

      12288:T6onxOp8FySpE5zvIdtU+YmefT9/mqOplf2AQNWxgqFjj:pwp8DozAdO98fplf2MJ

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks