General

  • Target

    JaffaCakes118_accbd6960dd347c36571ba5642f84e23

  • Size

    1016KB

  • Sample

    250411-ed7geaypw4

  • MD5

    accbd6960dd347c36571ba5642f84e23

  • SHA1

    5b7c416ada72814560922010b317e8669003b3e5

  • SHA256

    482f4d7695f48bda4cfbda875fa32859d0206b577a679fee45c42f8b2151a49d

  • SHA512

    af2d46582af45ea98dc208306e9302b646f3102a30e7fe72dadebc8ed735ff4447e84dc0799ef9d0693e5d5b4c5223bba6e6cf2dd0b7c2f7102d8a0198dc301a

  • SSDEEP

    12288:qpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsDu8wKF:qpUNr6YkVRFkgbeqeo68Fhq6upKF

Malware Config

Targets

    • Target

      JaffaCakes118_accbd6960dd347c36571ba5642f84e23

    • Size

      1016KB

    • MD5

      accbd6960dd347c36571ba5642f84e23

    • SHA1

      5b7c416ada72814560922010b317e8669003b3e5

    • SHA256

      482f4d7695f48bda4cfbda875fa32859d0206b577a679fee45c42f8b2151a49d

    • SHA512

      af2d46582af45ea98dc208306e9302b646f3102a30e7fe72dadebc8ed735ff4447e84dc0799ef9d0693e5d5b4c5223bba6e6cf2dd0b7c2f7102d8a0198dc301a

    • SSDEEP

      12288:qpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsDu8wKF:qpUNr6YkVRFkgbeqeo68Fhq6upKF

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks