General

  • Target

    JaffaCakes118_cfe038c23eae62fc4bd8d7ae5c5811bd

  • Size

    484KB

  • Sample

    250422-1846essrt3

  • MD5

    cfe038c23eae62fc4bd8d7ae5c5811bd

  • SHA1

    452d2d1a96cb9061a0c2820af8ffb512b6784d4a

  • SHA256

    061260118ea16ac380208a0f6be7eedd54d786184838f5845818178f9b5078fd

  • SHA512

    cf9cab34934b570b05be4a8a04b2686b03d2073926c8aac5b832d0dd6eab98df31aa613365ef1bdd5e03021c06c76ae3389ad1f3e6a75ffc80de42b819e7c74b

  • SSDEEP

    6144:5KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8o:5Kr3QboC9qLGKgZKe4HYpHvcbTlp0OA

Malware Config

Targets

    • Target

      JaffaCakes118_cfe038c23eae62fc4bd8d7ae5c5811bd

    • Size

      484KB

    • MD5

      cfe038c23eae62fc4bd8d7ae5c5811bd

    • SHA1

      452d2d1a96cb9061a0c2820af8ffb512b6784d4a

    • SHA256

      061260118ea16ac380208a0f6be7eedd54d786184838f5845818178f9b5078fd

    • SHA512

      cf9cab34934b570b05be4a8a04b2686b03d2073926c8aac5b832d0dd6eab98df31aa613365ef1bdd5e03021c06c76ae3389ad1f3e6a75ffc80de42b819e7c74b

    • SSDEEP

      6144:5KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8o:5Kr3QboC9qLGKgZKe4HYpHvcbTlp0OA

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks