General

  • Target

    JaffaCakes118_d08e9ae2c484798c819a806491b684d5

  • Size

    512KB

  • Sample

    250423-cd5lpstvgw

  • MD5

    d08e9ae2c484798c819a806491b684d5

  • SHA1

    a6c9332341f5db86116efa03ae6dab7e1a5ec008

  • SHA256

    37f71bcb45a0c8a72afe18f2a4b9aadb5b455b7c6fb768e0f8289c5868937d2a

  • SHA512

    66b7da0be28f4ba3901f8bead0b67ca00ad9a77b3e1868c824d40cfae70c21eb891d1eeee0e6dbf214d03dc8492466ab431f36fbcc907961fda690298e8c73bd

  • SSDEEP

    12288:3YBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:3Y2w+tOwuMCeEOPp83

Malware Config

Targets

    • Target

      JaffaCakes118_d08e9ae2c484798c819a806491b684d5

    • Size

      512KB

    • MD5

      d08e9ae2c484798c819a806491b684d5

    • SHA1

      a6c9332341f5db86116efa03ae6dab7e1a5ec008

    • SHA256

      37f71bcb45a0c8a72afe18f2a4b9aadb5b455b7c6fb768e0f8289c5868937d2a

    • SHA512

      66b7da0be28f4ba3901f8bead0b67ca00ad9a77b3e1868c824d40cfae70c21eb891d1eeee0e6dbf214d03dc8492466ab431f36fbcc907961fda690298e8c73bd

    • SSDEEP

      12288:3YBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:3Y2w+tOwuMCeEOPp83

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks