General

  • Target

    JaffaCakes118_aa2995e664f39da5594fe7229db71794

  • Size

    640KB

  • Sample

    250410-p18yvssjx9

  • MD5

    aa2995e664f39da5594fe7229db71794

  • SHA1

    e79322e26d88a22d83ad241a97aa9965d0af76a5

  • SHA256

    b7f14ca5c74288d372b0dc9e66bd34a7fb1b4d184246c5d63496f9677fd0af68

  • SHA512

    0847dbc3252d06cbe683c4c2fd5ceeb76757c3fb1cbe49b8847532ed5bab844763e0ca69fccfd99f83d1a22646227dbf1f02b4037cfb2b818f1b2a45a71e4dd5

  • SSDEEP

    12288:hIXlgtvm1De5YlOx6lzBH46UTyxeco7pQS/L7no2aT:hd81yMBbwyno7pQS/LBaT

Malware Config

Targets

    • Target

      JaffaCakes118_aa2995e664f39da5594fe7229db71794

    • Size

      640KB

    • MD5

      aa2995e664f39da5594fe7229db71794

    • SHA1

      e79322e26d88a22d83ad241a97aa9965d0af76a5

    • SHA256

      b7f14ca5c74288d372b0dc9e66bd34a7fb1b4d184246c5d63496f9677fd0af68

    • SHA512

      0847dbc3252d06cbe683c4c2fd5ceeb76757c3fb1cbe49b8847532ed5bab844763e0ca69fccfd99f83d1a22646227dbf1f02b4037cfb2b818f1b2a45a71e4dd5

    • SSDEEP

      12288:hIXlgtvm1De5YlOx6lzBH46UTyxeco7pQS/L7no2aT:hd81yMBbwyno7pQS/LBaT

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks