General

  • Target

    JaffaCakes118_9f09c9ceb28bbf292681b6987df891f7

  • Size

    284KB

  • Sample

    250407-pav93s1nw4

  • MD5

    9f09c9ceb28bbf292681b6987df891f7

  • SHA1

    8cf55dafe7c66e103014f743aef9fdf301a7860a

  • SHA256

    968e84a5581220ed0fc6ba70b02644cf8ea39a2755c3afb05d4ee3dc2144f682

  • SHA512

    c18a711d3bf9add842fccc4aad7cf83c5870dffe5b022f57cab5548472048ff259741390fcc37f79998434ff3cfc339c23edddef43851c6b7fcf667a4301da9c

  • SSDEEP

    6144:12iIJ4W9Z/o7p0RhGfFHyy3u9vLrr586JQPDHDdx/Qtq8:wVrhGdHyy3Czr1PJQPDHvd

Malware Config

Targets

    • Target

      JaffaCakes118_9f09c9ceb28bbf292681b6987df891f7

    • Size

      284KB

    • MD5

      9f09c9ceb28bbf292681b6987df891f7

    • SHA1

      8cf55dafe7c66e103014f743aef9fdf301a7860a

    • SHA256

      968e84a5581220ed0fc6ba70b02644cf8ea39a2755c3afb05d4ee3dc2144f682

    • SHA512

      c18a711d3bf9add842fccc4aad7cf83c5870dffe5b022f57cab5548472048ff259741390fcc37f79998434ff3cfc339c23edddef43851c6b7fcf667a4301da9c

    • SSDEEP

      6144:12iIJ4W9Z/o7p0RhGfFHyy3u9vLrr586JQPDHDdx/Qtq8:wVrhGdHyy3Czr1PJQPDHvd

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks