General

  • Target

    JaffaCakes118_d32d090411841cc709c8f8bb0565c543

  • Size

    480KB

  • Sample

    250423-vb8vfstsay

  • MD5

    d32d090411841cc709c8f8bb0565c543

  • SHA1

    b7388be46bfbce3cf5bb5a923d49dc52d50e2500

  • SHA256

    9f0af325566fad5a98f13d001c42480485d5dc005dc95c7c7c063c9e1fd7e368

  • SHA512

    f607219c8cfa450d16e7e9d37a2fe7cb27b563813741e8cfb31c4cb445bd02a67ae8aa8a37da1be335137a6a0c8df7784cccb38b5dce5c432df6a55d270c5ede

  • SSDEEP

    12288:S9pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsT:S9pUNr6YkVRFkgbeqeo68Fhq6

Malware Config

Targets

    • Target

      JaffaCakes118_d32d090411841cc709c8f8bb0565c543

    • Size

      480KB

    • MD5

      d32d090411841cc709c8f8bb0565c543

    • SHA1

      b7388be46bfbce3cf5bb5a923d49dc52d50e2500

    • SHA256

      9f0af325566fad5a98f13d001c42480485d5dc005dc95c7c7c063c9e1fd7e368

    • SHA512

      f607219c8cfa450d16e7e9d37a2fe7cb27b563813741e8cfb31c4cb445bd02a67ae8aa8a37da1be335137a6a0c8df7784cccb38b5dce5c432df6a55d270c5ede

    • SSDEEP

      12288:S9pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsT:S9pUNr6YkVRFkgbeqeo68Fhq6

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks