General

  • Target

    JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0

  • Size

    516KB

  • Sample

    250412-s8rlbsxpv9

  • MD5

    b2b7b9be91e42f447618c78205cfccb0

  • SHA1

    ac38435860734cbcdfff61a917c8e37e27d781a5

  • SHA256

    f3cb92699801b3fd4ca75d9e7a09d1b40b0a4591399753c4222c0b6385d8c897

  • SHA512

    3d7cab72720c27c80569eab34d9968f34bee41a38efbc9e5d25d40af373b560ba6f7240139d325700389ae0afc53d9c4b40ba69f08a3786f5c32619f37fc4193

  • SSDEEP

    12288:3pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:3pUNr6YkVRFkgbeqeo68Fhqy

Malware Config

Targets

    • Target

      JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0

    • Size

      516KB

    • MD5

      b2b7b9be91e42f447618c78205cfccb0

    • SHA1

      ac38435860734cbcdfff61a917c8e37e27d781a5

    • SHA256

      f3cb92699801b3fd4ca75d9e7a09d1b40b0a4591399753c4222c0b6385d8c897

    • SHA512

      3d7cab72720c27c80569eab34d9968f34bee41a38efbc9e5d25d40af373b560ba6f7240139d325700389ae0afc53d9c4b40ba69f08a3786f5c32619f37fc4193

    • SSDEEP

      12288:3pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:3pUNr6YkVRFkgbeqeo68Fhqy

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks