General

  • Target

    JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1

  • Size

    588KB

  • Sample

    250422-qde8pswvhy

  • MD5

    ce23cbd71cc033cecb1958623ee620c1

  • SHA1

    ee0c07c78a5eeb4216a4e178e871f04ef0ba9b00

  • SHA256

    270dce235ce96e14c6472a545008e2e80c489f41b21f8ce9db95a60dd18f99c3

  • SHA512

    9a26d99303a7e07e4b5be581d4621d8af9705106ef6f26ab5326911c0d0aa065658951c5ca5c3b7dc1c4603c65a5ff0b8dbed4dbbc43b7bcd3d93dafa18b6a73

  • SSDEEP

    12288:CYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:CY2w+tOwuMCeEOPp83

Malware Config

Targets

    • Target

      JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1

    • Size

      588KB

    • MD5

      ce23cbd71cc033cecb1958623ee620c1

    • SHA1

      ee0c07c78a5eeb4216a4e178e871f04ef0ba9b00

    • SHA256

      270dce235ce96e14c6472a545008e2e80c489f41b21f8ce9db95a60dd18f99c3

    • SHA512

      9a26d99303a7e07e4b5be581d4621d8af9705106ef6f26ab5326911c0d0aa065658951c5ca5c3b7dc1c4603c65a5ff0b8dbed4dbbc43b7bcd3d93dafa18b6a73

    • SSDEEP

      12288:CYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:CY2w+tOwuMCeEOPp83

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks