General

  • Target

    JaffaCakes118_b290c6025c5e02a99bb372986a2c07e4

  • Size

    524KB

  • Sample

    250412-r3f2zaw1et

  • MD5

    b290c6025c5e02a99bb372986a2c07e4

  • SHA1

    c12b76f3eac05a2e8df90c618c703e7edfff5d89

  • SHA256

    79f662e4967afa18a37082fbfd8ce704e079f47458569fdda125354d5beb1c33

  • SHA512

    30b68aebc967dec32d4203b8aebbae942e5dbbf8f1b780129e56c2ddd6c030fe8131d46504f45c757a73e4920ba32bf2135426d6af449bf9ae102d49712fea10

  • SSDEEP

    6144:RH6yI5HYUKReppVUnlby6ralQNeEAnbd4ClDyCSCj2LQBOL1oB8aUB:x6yKKgppT6rMSjq2Yj2LQoSU

Malware Config

Targets

    • Target

      JaffaCakes118_b290c6025c5e02a99bb372986a2c07e4

    • Size

      524KB

    • MD5

      b290c6025c5e02a99bb372986a2c07e4

    • SHA1

      c12b76f3eac05a2e8df90c618c703e7edfff5d89

    • SHA256

      79f662e4967afa18a37082fbfd8ce704e079f47458569fdda125354d5beb1c33

    • SHA512

      30b68aebc967dec32d4203b8aebbae942e5dbbf8f1b780129e56c2ddd6c030fe8131d46504f45c757a73e4920ba32bf2135426d6af449bf9ae102d49712fea10

    • SSDEEP

      6144:RH6yI5HYUKReppVUnlby6ralQNeEAnbd4ClDyCSCj2LQBOL1oB8aUB:x6yKKgppT6rMSjq2Yj2LQoSU

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks