General

  • Target

    JaffaCakes118_ed5ea3c5eb7f0ef36437b56df69bf07c

  • Size

    564KB

  • Sample

    250504-wnrmdacj5z

  • MD5

    ed5ea3c5eb7f0ef36437b56df69bf07c

  • SHA1

    dd2c4f523df874708dc6d15267280f205a0c36ed

  • SHA256

    83b1509fa21ce9a2c1e6d68b5d256f6bd1242809a7cec25c81b702aebbd85343

  • SHA512

    c89a82082848c8d246d22f59ba7daae3e51fb13b9cefc745022938f87eb3ab4f7e45907a6ef8f3cb48c0773ba757937871ebd2da52dc4c973c1493098993ae66

  • SSDEEP

    12288:2pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:2pUNr6YkVRFkgbeqeo68Fhqy

Malware Config

Targets

    • Target

      JaffaCakes118_ed5ea3c5eb7f0ef36437b56df69bf07c

    • Size

      564KB

    • MD5

      ed5ea3c5eb7f0ef36437b56df69bf07c

    • SHA1

      dd2c4f523df874708dc6d15267280f205a0c36ed

    • SHA256

      83b1509fa21ce9a2c1e6d68b5d256f6bd1242809a7cec25c81b702aebbd85343

    • SHA512

      c89a82082848c8d246d22f59ba7daae3e51fb13b9cefc745022938f87eb3ab4f7e45907a6ef8f3cb48c0773ba757937871ebd2da52dc4c973c1493098993ae66

    • SSDEEP

      12288:2pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:2pUNr6YkVRFkgbeqeo68Fhqy

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks