General

  • Target

    JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4

  • Size

    976KB

  • Sample

    250421-p2z3caxps9

  • MD5

    c95a495a4c01031dd2c777a44c3fc9e4

  • SHA1

    51084a46294dd634450c6ac27d9ef870438c4d70

  • SHA256

    915d73145ca41654c2bd3a3b908de8f2df454c97bb351237bd5498b9954c789a

  • SHA512

    152a18025948bc9d36f132eed09b3266c97843e0c6c110a3c35d51eeab48d360ca3ad26d25282b935681348eb0731aca6434b162a58e1996cc18e3aa48e1dcd6

  • SSDEEP

    24576:6xsKXa+hHyWseBg/RfMMMMM2MMMMMoGQS5pv8:6xbbtyWxBg/RfMMMMM2MMMMMTQw8

Malware Config

Targets

    • Target

      JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4

    • Size

      976KB

    • MD5

      c95a495a4c01031dd2c777a44c3fc9e4

    • SHA1

      51084a46294dd634450c6ac27d9ef870438c4d70

    • SHA256

      915d73145ca41654c2bd3a3b908de8f2df454c97bb351237bd5498b9954c789a

    • SHA512

      152a18025948bc9d36f132eed09b3266c97843e0c6c110a3c35d51eeab48d360ca3ad26d25282b935681348eb0731aca6434b162a58e1996cc18e3aa48e1dcd6

    • SSDEEP

      24576:6xsKXa+hHyWseBg/RfMMMMM2MMMMMoGQS5pv8:6xbbtyWxBg/RfMMMMM2MMMMMTQw8

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks