General

  • Target

    JaffaCakes118_a336f8dbe02e6b38651a95838843d159

  • Size

    532KB

  • Sample

    250409-e14n2aypy6

  • MD5

    a336f8dbe02e6b38651a95838843d159

  • SHA1

    8988026b6dcd663381a99c94c7d295731fb23419

  • SHA256

    44486d706aceafbe98008d88664caba6c68c9b430c13968fe24fb5b7142b764b

  • SHA512

    fbca61fb373448acdb54a5340aef7dde47eff343a8947029bd43d48c5bf28ebc8a76a4295e0ca7427c23f4ae18498dc2f381357147a59731fefd723471dd313a

  • SSDEEP

    12288:x6GT1pKuY4RvATM1vaPX/aATK09j8XtLpm1tT0:pmu1RATMlkT99jctLpwR0

Malware Config

Targets

    • Target

      JaffaCakes118_a336f8dbe02e6b38651a95838843d159

    • Size

      532KB

    • MD5

      a336f8dbe02e6b38651a95838843d159

    • SHA1

      8988026b6dcd663381a99c94c7d295731fb23419

    • SHA256

      44486d706aceafbe98008d88664caba6c68c9b430c13968fe24fb5b7142b764b

    • SHA512

      fbca61fb373448acdb54a5340aef7dde47eff343a8947029bd43d48c5bf28ebc8a76a4295e0ca7427c23f4ae18498dc2f381357147a59731fefd723471dd313a

    • SSDEEP

      12288:x6GT1pKuY4RvATM1vaPX/aATK09j8XtLpm1tT0:pmu1RATMlkT99jctLpwR0

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks