General

  • Target

    JaffaCakes118_9fcf2bcd668c81b316cc5d7b814d60b9

  • Size

    636KB

  • Sample

    250407-tmxe5avwdx

  • MD5

    9fcf2bcd668c81b316cc5d7b814d60b9

  • SHA1

    571ad40bbae5fe2bf82f2db67f5f4f168b1146d9

  • SHA256

    42bfacb6bf9312966fee6726c34c60dd63ff2f864bbe007ea0230a27ecdd8ad2

  • SHA512

    30164e7b7d1b4699b98ddc104b4469ff1b61d8cf884369f011459a481f463c090fb9b3fcbcaf5aef9ce50df2157e53fbbc40af71720ef66314bb5df31bbd997b

  • SSDEEP

    12288:Y6onxOp8FySpE5zvIdtU+YmefLs9v2V+yc:Mwp8DozAdO9LsZ20yc

Malware Config

Targets

    • Target

      JaffaCakes118_9fcf2bcd668c81b316cc5d7b814d60b9

    • Size

      636KB

    • MD5

      9fcf2bcd668c81b316cc5d7b814d60b9

    • SHA1

      571ad40bbae5fe2bf82f2db67f5f4f168b1146d9

    • SHA256

      42bfacb6bf9312966fee6726c34c60dd63ff2f864bbe007ea0230a27ecdd8ad2

    • SHA512

      30164e7b7d1b4699b98ddc104b4469ff1b61d8cf884369f011459a481f463c090fb9b3fcbcaf5aef9ce50df2157e53fbbc40af71720ef66314bb5df31bbd997b

    • SSDEEP

      12288:Y6onxOp8FySpE5zvIdtU+YmefLs9v2V+yc:Mwp8DozAdO9LsZ20yc

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks