General

  • Target

    JaffaCakes118_aae4910d19b3e77a7423b8fa50e3772e

  • Size

    536KB

  • Sample

    250410-tvlnlawp17

  • MD5

    aae4910d19b3e77a7423b8fa50e3772e

  • SHA1

    9efd5f53fb1fa053838e605e192c434c33a88db5

  • SHA256

    369239bb821f706f73a5200a7cbb4eaf37582bc5fb075a4c3df68db879c8eb3e

  • SHA512

    0a27235d754f9fd17af923ef740fd380afdfc09fc74d29aae956648804d71e07743353bcc271725aff371e9e9fbd07fc40e3c448f7e86d5df1a193df7942f6dc

  • SSDEEP

    6144:3j6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionPvvb:z6onxOp8FySpE5zvIdtU+Ymef

Malware Config

Targets

    • Target

      JaffaCakes118_aae4910d19b3e77a7423b8fa50e3772e

    • Size

      536KB

    • MD5

      aae4910d19b3e77a7423b8fa50e3772e

    • SHA1

      9efd5f53fb1fa053838e605e192c434c33a88db5

    • SHA256

      369239bb821f706f73a5200a7cbb4eaf37582bc5fb075a4c3df68db879c8eb3e

    • SHA512

      0a27235d754f9fd17af923ef740fd380afdfc09fc74d29aae956648804d71e07743353bcc271725aff371e9e9fbd07fc40e3c448f7e86d5df1a193df7942f6dc

    • SSDEEP

      6144:3j6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionPvvb:z6onxOp8FySpE5zvIdtU+Ymef

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks