General

  • Target

    JaffaCakes118_ebc900f9aa32c82e765df6f790748878

  • Size

    488KB

  • Sample

    250504-qkmlcsek3v

  • MD5

    ebc900f9aa32c82e765df6f790748878

  • SHA1

    61d63af7f00abd6055ee22d6b2f241d8a666507f

  • SHA256

    06c47f1c4b67b3964528f5998d30e4be60de4ad48a547efc50f481c074013502

  • SHA512

    e39e1a21d55b6f5c0b21724f0fbe01a21c6ed42ceef5c941ed91bf7a073be99e3c0c83c7421ca537e332a6d7752749eade2489cc90b8bd4787bd43556f8617d8

  • SSDEEP

    12288:0t6onxOp8FySpE5zvIdtU+YmefaRfMMMMM2MMMMMk:0Twp8DozAdO9aRfMMMMM2MMMMMk

Malware Config

Targets

    • Target

      JaffaCakes118_ebc900f9aa32c82e765df6f790748878

    • Size

      488KB

    • MD5

      ebc900f9aa32c82e765df6f790748878

    • SHA1

      61d63af7f00abd6055ee22d6b2f241d8a666507f

    • SHA256

      06c47f1c4b67b3964528f5998d30e4be60de4ad48a547efc50f481c074013502

    • SHA512

      e39e1a21d55b6f5c0b21724f0fbe01a21c6ed42ceef5c941ed91bf7a073be99e3c0c83c7421ca537e332a6d7752749eade2489cc90b8bd4787bd43556f8617d8

    • SSDEEP

      12288:0t6onxOp8FySpE5zvIdtU+YmefaRfMMMMM2MMMMMk:0Twp8DozAdO9aRfMMMMM2MMMMMk

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks