Author: Vytenis Misevičius, Head of Cyber Threat Prevention Unit at CyberSOC

PYKSPA – a “little gift” from a place, where we usually take our photos in digital form, to have them printed. They might print the photos, but what else we might bring home with them – read about it in this article.

I got into my hands a USB drive, that was infected at one of these public photo printing places. Usually, they have a work computer, that dozens or even hundreds of USB drives are plugged into every day. In many cases, these computers are quite old and not necessarily secure – otherwise, this article wouldn’t exist, so let’s get to the point.

By the way, this “little gift” is already quite old, but it’s still interesting and serves as a reminder that we need to be more careful with USB drives.

🔎 First look: “nothing here is what it seems”

After creating an image of the USB drive, I loaded it into Autopsy and began analyzing it. I didn’t have to look far. I found five suspicious files:

• inf

• Three .bat files with seemingly randomly generated name (agsepqhqvi.bat, saocpslwdsuq.bat, scsixcxktkomru.bat)
• Data Sources.exe.

The first thing that caught my eye was that all three .bat files had the same hash values. This means it was the same file, just renamed three times. Why? It seems that autorun.inf was configured to use several different Windows environment scripts, and regardless of what you did with the USB drive, one of them would run the malicious file.

One more detail: those .bat files were actually executable .exe files (application/x-msdownload).

🕰️ Fake timestamps – or timestomping.

While looking at the timestamps on the files, I noticed something strange.

The creation time on all files was 15:52:xx. Regardless of the year or month… Even in those that were supposedly created on different days, in different years. Modification timestamps – exactly +1 month and 2 days after creation. Access timestamps – exactly +1 month and 3 days after modification.

This is no coincidence. It’s an algorithm.

This is called timestomping – an anti-forensic technique where an attacker overwrites file timestamps with artificially generated dates to deceive investigators. This attacker’s tool had some kind of “creative” random date generator – but forgot to randomly select the time. And so every file, supposedly created in different years, has 15:52 as its creation time, but different years, months, or days.

Furthermore, by cross-referencing all dates with the known fact of USB usage, it can be concluded that all 2009 dates are fabricated. The actual infection date of the USB drive is September 12, 2018.

☣️ What was it: 68 out of 70 antivirus programs can’t be wrong

After scanning the exe file on the VirusTotal platform, the results are overwhelmingly red:

We have the following virus profile: Pykspa (distribution mechanism via USB and “autorun”) + Zepfod backdoor + Killav component (actively terminates antivirus processes). Essentially, this virus is classified as a worm that spreads on its own.

💣Any.run sandbox – things got really scary here

After extracting the file from Autopsy, I loaded it into Any.run – a dynamic analysis environment.

In 300 seconds, the virus created 298 new processes.

Here’s what it did, step by step:

1. It cloned itself almost non-stop

It immediately dropped hajwhnbjdnd.exe into AppData\Local\Temp\, which launched zbmqv.exe – the main Pykspa engine. That, in turn, spewed out a bunch of files with random names:

zrsmhbaqnwzspkayquooa.exe
xnmexpmavcdupiwsikc.exe
mbzqizviciiyskxshi.exe
droevlgslqpexoaui.exe
kbbuohfuqyasoixulohg.exe

All with random names – the same technique as in the files on my USB drive.

2. Locked the user out of system administration

Added the following to the registry: DisableRegistryTools = 1

Regedit was disabled. The user can no longer check what the malware has changed in the registry.

3. Hid itself

Changed the SHOWALL registry value – Windows Explorer will no longer display hidden and system files.

4. Settled in everywhere it could

Registered itself in all four Windows startup locations at once:

• HKLM\…\ Run – runs for every user
• HKLM\…\RunOnce – runs once and then re-registers
• HKCU\…\Run – runs at login
• HKCU\…\RunOnce – an extra safeguard

And in each one – different file names. Killed one process? The other three will restart it.

5. Checked the external IP address three times

GET → http://www.showmyipaddress.com

GET → http://whatismyipaddress.com

GET → http://www.whatismyip.com

A classic Pykspa move – it links the external IP to the computer name (retrieved via GetComputerNameA), and sends this data to the botnet.

6. It could take screenshots

YARA rules confirmed the screenshot feature. The malware could silently capture what the user sees on the screen.

8. Connected to a bunch of different IP addresses

An interesting detail – among the IP addresses, to which this malware tried to connect – there were Lithuanian IP addresses as well.

🟢 Good news (albeit a little, because we need some of that too)

Most of the C2 infrastructure is long gone. After all, the virus is quite old. However, this is also strange, because some links still respond to requests.

The virus is also easily detected by almost all antivirus programs. Of course, this is no guarantee and does not provide 100% protection against such malware.

The conclusion is that some computer malwares really does live quite a long time…

The article is part of the SOCcare project, which is co-funded by the European Union, alongside our collaborators, NRD Cyber Security and RevelSI, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.