Pykspa (Malware Family)

Pykspa

VTCollection

According to Akamai, Pykspa is a worm that spreads via Skype by sending messages to other Skype users with download links. Once downloaded, Pykspa extracts personal information and communicates with its command and control servers (C2) using a domain generation algorithm (DGA).

References

2019-07-11 ⋅ Akamai ⋅ Lior Lahav
Pykspa V2 DGA Updated to Become Selective
Pykspa

2018-01-11 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1
Pykspa

2015-07-19 ⋅ Johannes Bader Blog ⋅ Johannes Bader
The Faulty Precursor of Pykspa's DGA
Pykspa

2015-03-10 ⋅ Johannes Bader Blog ⋅ Johannes Bader
The DGA of Pykspa
Pykspa

Yara Rules

[TLP:WHITE] win_pykspa_auto (20260504 | Detects win.pykspa.)

rule win_pykspa_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pykspa."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc6 6a02 99 59 f7f9 3bd3 8bc8 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   6a02                 | push                2
            //   99                   | cdq                 
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx
            //   3bd3                 | cmp                 edx, ebx
            //   8bc8                 | mov                 ecx, eax

        $sequence_1 = { 0f84dc000000 ff36 e8???????? 8bf8 85ff 59 897dec }
            // n = 7, score = 100
            //   0f84dc000000         | je                  0xe2
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   59                   | pop                 ecx
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi

        $sequence_2 = { 6a00 50 e8???????? 8365c800 8365e400 83c40c 6a02 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8365c800             | and                 dword ptr [ebp - 0x38], 0
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   83c40c               | add                 esp, 0xc
            //   6a02                 | push                2

        $sequence_3 = { 3955f8 740d 8d75f8 8b7d10 a5 66a5 b001 }
            // n = 7, score = 100
            //   3955f8               | cmp                 dword ptr [ebp - 8], edx
            //   740d                 | je                  0xf
            //   8d75f8               | lea                 esi, [ebp - 8]
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   b001                 | mov                 al, 1

        $sequence_4 = { 745b 80bd50ffffff2e 0f84cb010000 8d8550ffffff 50 ff7570 8d8520feffff }
            // n = 7, score = 100
            //   745b                 | je                  0x5d
            //   80bd50ffffff2e       | cmp                 byte ptr [ebp - 0xb0], 0x2e
            //   0f84cb010000         | je                  0x1d1
            //   8d8550ffffff         | lea                 eax, [ebp - 0xb0]
            //   50                   | push                eax
            //   ff7570               | push                dword ptr [ebp + 0x70]
            //   8d8520feffff         | lea                 eax, [ebp - 0x1e0]

        $sequence_5 = { 83c418 56 85c0 56 0f9545ff ffd7 807dff00 }
            // n = 7, score = 100
            //   83c418               | add                 esp, 0x18
            //   56                   | push                esi
            //   85c0                 | test                eax, eax
            //   56                   | push                esi
            //   0f9545ff             | setne               byte ptr [ebp - 1]
            //   ffd7                 | call                edi
            //   807dff00             | cmp                 byte ptr [ebp - 1], 0

        $sequence_6 = { 85c0 59 59 7404 b001 5f c3 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   7404                 | je                  6
            //   b001                 | mov                 al, 1
            //   5f                   | pop                 edi
            //   c3                   | ret                 

        $sequence_7 = { e8???????? 59 59 8bf0 ffd3 894608 eb25 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8bf0                 | mov                 esi, eax
            //   ffd3                 | call                ebx
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   eb25                 | jmp                 0x27

        $sequence_8 = { 8d8500f0ffff 50 8b4508 83c008 50 e8???????? }
            // n = 6, score = 100
            //   8d8500f0ffff         | lea                 eax, [ebp - 0x1000]
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c008               | add                 eax, 8
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { 6a0c 8d8540faffff 50 68???????? e8???????? 83c420 50 }
            // n = 7, score = 100
            //   6a0c                 | push                0xc
            //   8d8540faffff         | lea                 eax, [ebp - 0x5c0]
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   50                   | push                eax

    condition:
        7 of them and filesize < 835584
}

Download all Yara Rules

Pykspa Propose Change

References

Yara Rules

Pykspa