General

  • Target

    JaffaCakes118_d4f9e99e2d8365ec360bb49173bc9896

  • Size

    516KB

  • Sample

    250424-eh4lbaspz9

  • MD5

    d4f9e99e2d8365ec360bb49173bc9896

  • SHA1

    62a4337479ab1bc4ce08e338890275f75a5a27a5

  • SHA256

    3664435ff5113ac3376d9feef4bc24cc50b7e04223dd2fa76b29e4388eac624c

  • SHA512

    6688f59fd5548f1d477491d5c6b0bfa94cd54f843e39d8859454f7c59b1bca6be772a9f6f3d961a64baa4ab89088d9acd547c2343be42b53f76f592d48537ccd

  • SSDEEP

    12288:bpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:bpUNr6YkVRFkgbeqeo68Fhqy

Malware Config

Targets

    • Target

      JaffaCakes118_d4f9e99e2d8365ec360bb49173bc9896

    • Size

      516KB

    • MD5

      d4f9e99e2d8365ec360bb49173bc9896

    • SHA1

      62a4337479ab1bc4ce08e338890275f75a5a27a5

    • SHA256

      3664435ff5113ac3376d9feef4bc24cc50b7e04223dd2fa76b29e4388eac624c

    • SHA512

      6688f59fd5548f1d477491d5c6b0bfa94cd54f843e39d8859454f7c59b1bca6be772a9f6f3d961a64baa4ab89088d9acd547c2343be42b53f76f592d48537ccd

    • SSDEEP

      12288:bpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:bpUNr6YkVRFkgbeqeo68Fhqy

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks