General

  • Target

    JaffaCakes118_a6bee2b11b3db26998f11cc9e45f7909

  • Size

    496KB

  • Sample

    250409-zkwzgasjx6

  • MD5

    a6bee2b11b3db26998f11cc9e45f7909

  • SHA1

    0c639f2467af1d0aa31c2fb1dc969cca49107eb1

  • SHA256

    876b18e0b1ab95d9f44868e38f5bd0169da22e2026ec2ea1d8ec2d1957326d82

  • SHA512

    af47c4d3eaed55f690a23b8283f2615f1c4c4dbd70fe3a1904f7e8d77337f8a2a49a4c30505e6a43820bb84b64229e257a8448d7ef84c48a1c7d558b1ba0b73b

  • SSDEEP

    6144:T8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU4:InRy+ZyYpaCDJFuPyAHcqrU

Malware Config

Targets

    • Target

      JaffaCakes118_a6bee2b11b3db26998f11cc9e45f7909

    • Size

      496KB

    • MD5

      a6bee2b11b3db26998f11cc9e45f7909

    • SHA1

      0c639f2467af1d0aa31c2fb1dc969cca49107eb1

    • SHA256

      876b18e0b1ab95d9f44868e38f5bd0169da22e2026ec2ea1d8ec2d1957326d82

    • SHA512

      af47c4d3eaed55f690a23b8283f2615f1c4c4dbd70fe3a1904f7e8d77337f8a2a49a4c30505e6a43820bb84b64229e257a8448d7ef84c48a1c7d558b1ba0b73b

    • SSDEEP

      6144:T8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU4:InRy+ZyYpaCDJFuPyAHcqrU

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks