General

  • Target

    JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e

  • Size

    524KB

  • Sample

    250413-sjp17sytdx

  • MD5

    b4fe986f603c8689f0e3be5b60cc856e

  • SHA1

    4989bebdf2b66cec09efe777715577b21e5fec5e

  • SHA256

    ce16cfb716ea2a3ebb272428883f5b7375f2b38c5eeff3c4e455baa9a9fb0168

  • SHA512

    b5b057b7d9a79abd6d857c50767075e480bd3bb3d6dee512c9d517c851e242e42d0e05263010c719b870308bc728908345310280c2b3431a72b8ffc50533b94e

  • SSDEEP

    12288:fg5pBHxXptbN5ZRgOiBjw/C0AWzFjbWOeEEs:qH7tbrbIBjwuWRmLEn

Malware Config

Targets

    • Target

      JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e

    • Size

      524KB

    • MD5

      b4fe986f603c8689f0e3be5b60cc856e

    • SHA1

      4989bebdf2b66cec09efe777715577b21e5fec5e

    • SHA256

      ce16cfb716ea2a3ebb272428883f5b7375f2b38c5eeff3c4e455baa9a9fb0168

    • SHA512

      b5b057b7d9a79abd6d857c50767075e480bd3bb3d6dee512c9d517c851e242e42d0e05263010c719b870308bc728908345310280c2b3431a72b8ffc50533b94e

    • SSDEEP

      12288:fg5pBHxXptbN5ZRgOiBjw/C0AWzFjbWOeEEs:qH7tbrbIBjwuWRmLEn

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks