General

  • Target

    JaffaCakes118_a5f08f7a36315c8e684dcdd2b43073d1

  • Size

    552KB

  • Sample

    250409-vkktzsxvct

  • MD5

    a5f08f7a36315c8e684dcdd2b43073d1

  • SHA1

    bfbb0d557e4a0c64d8db95b58f8e0fa5d29cc6d2

  • SHA256

    83d542e1c32b412f997127a95b3aa12344d846aa83e865d9a67f315495747d41

  • SHA512

    3a5369218783ae4af1141c1f6b61a9a00ff2de3137207089e15cf85dc300511d86c5a8681d946a38f97d5464a001032846db099fd5a9696b8e597e45d0d5fc2a

  • SSDEEP

    12288:eigkDxdkL+6JNgKVcRa+fpHyWs3OBH4pU11:dxsKXa+hHyWseBg+1

Malware Config

Targets

    • Target

      JaffaCakes118_a5f08f7a36315c8e684dcdd2b43073d1

    • Size

      552KB

    • MD5

      a5f08f7a36315c8e684dcdd2b43073d1

    • SHA1

      bfbb0d557e4a0c64d8db95b58f8e0fa5d29cc6d2

    • SHA256

      83d542e1c32b412f997127a95b3aa12344d846aa83e865d9a67f315495747d41

    • SHA512

      3a5369218783ae4af1141c1f6b61a9a00ff2de3137207089e15cf85dc300511d86c5a8681d946a38f97d5464a001032846db099fd5a9696b8e597e45d0d5fc2a

    • SSDEEP

      12288:eigkDxdkL+6JNgKVcRa+fpHyWs3OBH4pU11:dxsKXa+hHyWseBg+1

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks