General

  • Target

    JaffaCakes118_d2359882a02fea1b2179df3a8bbbe41b

  • Size

    508KB

  • Sample

    250423-mv7gqsvyhy

  • MD5

    d2359882a02fea1b2179df3a8bbbe41b

  • SHA1

    9c01dd138f50cafde51e3a56892fbacfe713e8a1

  • SHA256

    4bef104c72830617853df2551a2ff6630dcfebde00899ed36bfdc7e4b9fee596

  • SHA512

    a99d53918a25f07ef4d318a4b434591e1deacfd892a05061875c20154af93c1df847f08876b664e0238e12d0409c1a2d4718b40ad720bcf2592c4ccdf9ba2562

  • SSDEEP

    6144:GE6GT1pKt0wlVVA1RvAvB5xOxRlAkdHMDfefyp5xiVLB4f/WJAT0l09cENnvnVfs:76GT1pKuY4RvATM1vaPX/aATK09j8KE

Malware Config

Targets

    • Target

      JaffaCakes118_d2359882a02fea1b2179df3a8bbbe41b

    • Size

      508KB

    • MD5

      d2359882a02fea1b2179df3a8bbbe41b

    • SHA1

      9c01dd138f50cafde51e3a56892fbacfe713e8a1

    • SHA256

      4bef104c72830617853df2551a2ff6630dcfebde00899ed36bfdc7e4b9fee596

    • SHA512

      a99d53918a25f07ef4d318a4b434591e1deacfd892a05061875c20154af93c1df847f08876b664e0238e12d0409c1a2d4718b40ad720bcf2592c4ccdf9ba2562

    • SSDEEP

      6144:GE6GT1pKt0wlVVA1RvAvB5xOxRlAkdHMDfefyp5xiVLB4f/WJAT0l09cENnvnVfs:76GT1pKuY4RvATM1vaPX/aATK09j8KE

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks