General

  • Target

    JaffaCakes118_e3e7fb75cc367b5a87aaa64834803fa7

  • Size

    560KB

  • Sample

    250503-mvy6cs1wcv

  • MD5

    e3e7fb75cc367b5a87aaa64834803fa7

  • SHA1

    ee815261f39d483cd0d002152b9c0099dafba947

  • SHA256

    3833498dcf5e25cb7039592846f550c8f805aa77af04740fac7852f5ebf8afe2

  • SHA512

    56c43fe7d3df73db1aa4e92a60540a1733e101dd17e7398bb24439149a31f3e10fabbd02e012f5fd559168717e2a061f2515c5263874a43ee5acdf25326ede3b

  • SSDEEP

    12288:UvtygGVWeZ8KsJyP5sDmEei5tHhh4KmM1kTu7etCX+pd167QhEXns:oogGVWWMe5skiPHhOz9CE6EhD

Malware Config

Targets

    • Target

      JaffaCakes118_e3e7fb75cc367b5a87aaa64834803fa7

    • Size

      560KB

    • MD5

      e3e7fb75cc367b5a87aaa64834803fa7

    • SHA1

      ee815261f39d483cd0d002152b9c0099dafba947

    • SHA256

      3833498dcf5e25cb7039592846f550c8f805aa77af04740fac7852f5ebf8afe2

    • SHA512

      56c43fe7d3df73db1aa4e92a60540a1733e101dd17e7398bb24439149a31f3e10fabbd02e012f5fd559168717e2a061f2515c5263874a43ee5acdf25326ede3b

    • SSDEEP

      12288:UvtygGVWeZ8KsJyP5sDmEei5tHhh4KmM1kTu7etCX+pd167QhEXns:oogGVWWMe5skiPHhOz9CE6EhD

    • Modifies WinLogon for persistence

    • Pykspa

      Pykspa is a worm spreads via Skype uses DGA and it's written in C++.

    • Pykspa family

    • Detect Pykspa worm

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks