General

  • Target

    JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2

  • Size

    680KB

  • Sample

    250419-hxrrva1mw5

  • MD5

    c1c90ccb7f44badc91ec2859323fcde2

  • SHA1

    0bc90e1a338997eb95cae02f0250a8678d8f25e4

  • SHA256

    c9fd2f88ae1d80838434f52f63ecc3009bda52cc0b76238121d6068999f13a43

  • SHA512

    464ce273e0f3c9f74bff3c864f54d532f89bea43446ca824ca3af93c3802168c41e314166a6084c0e61a43621900394bea820a2b64c8f92ea156f36ce9584e08

  • SSDEEP

    12288:XIX6gtvm1De5YlOx6lzBH46UVqqVpCyXJ:Xu81yMBbyb3XJ

Malware Config

Targets

    • Target

      JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2

    • Size

      680KB

    • MD5

      c1c90ccb7f44badc91ec2859323fcde2

    • SHA1

      0bc90e1a338997eb95cae02f0250a8678d8f25e4

    • SHA256

      c9fd2f88ae1d80838434f52f63ecc3009bda52cc0b76238121d6068999f13a43

    • SHA512

      464ce273e0f3c9f74bff3c864f54d532f89bea43446ca824ca3af93c3802168c41e314166a6084c0e61a43621900394bea820a2b64c8f92ea156f36ce9584e08

    • SSDEEP

      12288:XIX6gtvm1De5YlOx6lzBH46UVqqVpCyXJ:Xu81yMBbyb3XJ

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks