General

  • Target

    JaffaCakes118_e0eae7bfab7590ffde1dfa02fabbf8b6

  • Size

    836KB

  • Sample

    250428-yt8h7azpy5

  • MD5

    e0eae7bfab7590ffde1dfa02fabbf8b6

  • SHA1

    1d218a2dc43ce1b7605a447d9cc234fe70f84cee

  • SHA256

    21271255abd6770bddb616d7d23d1901a43461c489532de4669a1414f77202fe

  • SHA512

    b112d1bd78fdda85dfb2575d8628ccc60f3188c43310f1d2a37c7f91937441992828b3c056766499f9e05e6412531096c2187cb6c3289b64dbf35594bc608ae5

  • SSDEEP

    12288:KpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsR:KpUNr6YkVRFkgbeqeo68Fhqk

Malware Config

Targets

    • Target

      JaffaCakes118_e0eae7bfab7590ffde1dfa02fabbf8b6

    • Size

      836KB

    • MD5

      e0eae7bfab7590ffde1dfa02fabbf8b6

    • SHA1

      1d218a2dc43ce1b7605a447d9cc234fe70f84cee

    • SHA256

      21271255abd6770bddb616d7d23d1901a43461c489532de4669a1414f77202fe

    • SHA512

      b112d1bd78fdda85dfb2575d8628ccc60f3188c43310f1d2a37c7f91937441992828b3c056766499f9e05e6412531096c2187cb6c3289b64dbf35594bc608ae5

    • SSDEEP

      12288:KpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsR:KpUNr6YkVRFkgbeqeo68Fhqk

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks