General

  • Target

    JaffaCakes118_ed37c32989ab16892d267598c52c12ac

  • Size

    600KB

  • Sample

    250504-v5brtazpx2

  • MD5

    ed37c32989ab16892d267598c52c12ac

  • SHA1

    3be5e6fe464b641db299b3cfab93c55b4ddaace6

  • SHA256

    b2f2aa2052972bad02f45afe284b360f777fa20ecae5c4843f9d5a4cbecac9b4

  • SHA512

    97b3e7126e791e0f8b9eaab61d0c98c0bfeecce78de21452431979a1925b5661d549ddc517678d58edf4499882d6b37269ec8c8c39a2b7e9a44cf8e2d900be17

  • SSDEEP

    6144:9j6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion:F6onxOp8FySpE5zvIdtU+Ymef

Malware Config

Targets

    • Target

      JaffaCakes118_ed37c32989ab16892d267598c52c12ac

    • Size

      600KB

    • MD5

      ed37c32989ab16892d267598c52c12ac

    • SHA1

      3be5e6fe464b641db299b3cfab93c55b4ddaace6

    • SHA256

      b2f2aa2052972bad02f45afe284b360f777fa20ecae5c4843f9d5a4cbecac9b4

    • SHA512

      97b3e7126e791e0f8b9eaab61d0c98c0bfeecce78de21452431979a1925b5661d549ddc517678d58edf4499882d6b37269ec8c8c39a2b7e9a44cf8e2d900be17

    • SSDEEP

      6144:9j6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion:F6onxOp8FySpE5zvIdtU+Ymef

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks