General

  • Target

    JaffaCakes118_abeedbe3efd76ace504c8bb5442796e0

  • Size

    1016KB

  • Sample

    250410-2zt5javsez

  • MD5

    abeedbe3efd76ace504c8bb5442796e0

  • SHA1

    07a36513cb75a78f0c5b526f414b91f41edb3e83

  • SHA256

    f50b1fb1d0e18eba1f022dce7b593693cdb7ab0ba49f5d9c17a3877412301bbd

  • SHA512

    3b396d4e0603784e97a4d822a954e621b3f37724ef7b5649d56a92dfe461ab415890d81bb401a21f1d4df0891bb21e358d21c6adb56b32cfd94128d406985180

  • SSDEEP

    12288:nIXsgtvm1De5YlOx6lzBH46UQlgMI1MM:nU81yMBbVlgMI1MM

Malware Config

Targets

    • Target

      JaffaCakes118_abeedbe3efd76ace504c8bb5442796e0

    • Size

      1016KB

    • MD5

      abeedbe3efd76ace504c8bb5442796e0

    • SHA1

      07a36513cb75a78f0c5b526f414b91f41edb3e83

    • SHA256

      f50b1fb1d0e18eba1f022dce7b593693cdb7ab0ba49f5d9c17a3877412301bbd

    • SHA512

      3b396d4e0603784e97a4d822a954e621b3f37724ef7b5649d56a92dfe461ab415890d81bb401a21f1d4df0891bb21e358d21c6adb56b32cfd94128d406985180

    • SSDEEP

      12288:nIXsgtvm1De5YlOx6lzBH46UQlgMI1MM:nU81yMBbVlgMI1MM

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks