General

  • Target

    JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e

  • Size

    824KB

  • Sample

    250412-pyqz9svvdy

  • MD5

    b248fe8b370f8fcb43c669473faf2b6e

  • SHA1

    608fe88e45ea2939f616d60ac94ad1d3cf15b02b

  • SHA256

    99be2fccaa08c521f7eb1828d6b1620a439a9b9a9945b5dfe617a1bf07f9ef75

  • SHA512

    aa076579580c4a800995cb6b05a4fcce39668266a52cc31b515b64d38828c007f4a10ed018d54adad015e49cac3a26e804ed575bf07ebe7c36e8dbc3b6182eb8

  • SSDEEP

    12288:npUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs5S73cMKmA:npUNr6YkVRFkgbeqeo68FhqaS7MMM

Malware Config

Targets

    • Target

      JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e

    • Size

      824KB

    • MD5

      b248fe8b370f8fcb43c669473faf2b6e

    • SHA1

      608fe88e45ea2939f616d60ac94ad1d3cf15b02b

    • SHA256

      99be2fccaa08c521f7eb1828d6b1620a439a9b9a9945b5dfe617a1bf07f9ef75

    • SHA512

      aa076579580c4a800995cb6b05a4fcce39668266a52cc31b515b64d38828c007f4a10ed018d54adad015e49cac3a26e804ed575bf07ebe7c36e8dbc3b6182eb8

    • SSDEEP

      12288:npUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs5S73cMKmA:npUNr6YkVRFkgbeqeo68FhqaS7MMM

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks