General

  • Target

    JaffaCakes118_ee0ae575812031147373353780150727

  • Size

    576KB

  • Sample

    250504-yxwc2a1scw

  • MD5

    ee0ae575812031147373353780150727

  • SHA1

    ba82219b9e01494f7111f9fb2f82f9546dc33823

  • SHA256

    3a45790dfb038ba5c5cc1d5e05bbee66cf6103dcafac1ac523a57cd82becd561

  • SHA512

    bc1c6d064012e57f6ac2db657693b1c26637d13733c792399561c9235f7a723b3ff8a799dfa6a6f09875b62fc576c6f3262fe2cbb0792396b9952ab5dcd0b784

  • SSDEEP

    6144:Jto07dgp0+5+ylPtRIQdS6VjKQ8tQYtagbr4rPYyUQTB2I/51pftDKHpDbU69SWB:Xo07g+aP5KR5EJUQTB2OfDKC7WcczEE

Malware Config

Targets

    • Target

      JaffaCakes118_ee0ae575812031147373353780150727

    • Size

      576KB

    • MD5

      ee0ae575812031147373353780150727

    • SHA1

      ba82219b9e01494f7111f9fb2f82f9546dc33823

    • SHA256

      3a45790dfb038ba5c5cc1d5e05bbee66cf6103dcafac1ac523a57cd82becd561

    • SHA512

      bc1c6d064012e57f6ac2db657693b1c26637d13733c792399561c9235f7a723b3ff8a799dfa6a6f09875b62fc576c6f3262fe2cbb0792396b9952ab5dcd0b784

    • SSDEEP

      6144:Jto07dgp0+5+ylPtRIQdS6VjKQ8tQYtagbr4rPYyUQTB2I/51pftDKHpDbU69SWB:Xo07g+aP5KR5EJUQTB2OfDKC7WcczEE

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks