General

  • Target

    JaffaCakes118_ee36e90d8e393f8086a9171a7e30165e

  • Size

    556KB

  • Sample

    250504-zhbkrafr8t

  • MD5

    ee36e90d8e393f8086a9171a7e30165e

  • SHA1

    73301965653e4a2ed5f4edbb14d3525ea48e135b

  • SHA256

    1852129afabca4e982b2fc0e0a90a8ef08ed5ce4cde370a7ccdb2a3b89e4ba3f

  • SHA512

    06895c4ec0af0263af75768eca3799ca247d04b8b6c2ba7a29a8fd7d1ea8b8e33c3b7346d920e6ec987f2d257f14e972bba4aac0dae32698f824d6f1a7349bda

  • SSDEEP

    12288:A6onxOp8FySpE5zvIdtU+YmefaX+pd167QhEXfG:Uwp8DozAdO9aE6EhcG

Malware Config

Targets

    • Target

      JaffaCakes118_ee36e90d8e393f8086a9171a7e30165e

    • Size

      556KB

    • MD5

      ee36e90d8e393f8086a9171a7e30165e

    • SHA1

      73301965653e4a2ed5f4edbb14d3525ea48e135b

    • SHA256

      1852129afabca4e982b2fc0e0a90a8ef08ed5ce4cde370a7ccdb2a3b89e4ba3f

    • SHA512

      06895c4ec0af0263af75768eca3799ca247d04b8b6c2ba7a29a8fd7d1ea8b8e33c3b7346d920e6ec987f2d257f14e972bba4aac0dae32698f824d6f1a7349bda

    • SSDEEP

      12288:A6onxOp8FySpE5zvIdtU+YmefaX+pd167QhEXfG:Uwp8DozAdO9aE6EhcG

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks