General

  • Target

    8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118

  • Size

    284KB

  • Sample

    241031-cwwrhsxerc

  • MD5

    8134e598125e14e6bd192b3bf1a5fa85

  • SHA1

    e6d8f38208f789e5880085c43db65ddb0422df67

  • SHA256

    e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d

  • SHA512

    354dc28b7ebd1be9c1573937c19cce482872908237d90d53c0feac4db3b4d4b8f066bcd3a43088ccdb62b2da8c305ec0912bb8aaf373fdc6d07f3f18293c8ad8

  • SSDEEP

    6144:lIfYOMlH5bmfynhMTMYX5evvwo86JQPDHDdx/Qtq8:ToWhMwYX5e3hPJQPDHvd

Malware Config

Targets

    • Target

      8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118

    • Size

      284KB

    • MD5

      8134e598125e14e6bd192b3bf1a5fa85

    • SHA1

      e6d8f38208f789e5880085c43db65ddb0422df67

    • SHA256

      e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d

    • SHA512

      354dc28b7ebd1be9c1573937c19cce482872908237d90d53c0feac4db3b4d4b8f066bcd3a43088ccdb62b2da8c305ec0912bb8aaf373fdc6d07f3f18293c8ad8

    • SSDEEP

      6144:lIfYOMlH5bmfynhMTMYX5evvwo86JQPDHDdx/Qtq8:ToWhMwYX5e3hPJQPDHvd

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks