General
-
Target
JaffaCakes118_e3e7fb75cc367b5a87aaa64834803fa7
-
Size
560KB
-
Sample
250503-mvy6cs1wcv
-
MD5
e3e7fb75cc367b5a87aaa64834803fa7
-
SHA1
ee815261f39d483cd0d002152b9c0099dafba947
-
SHA256
3833498dcf5e25cb7039592846f550c8f805aa77af04740fac7852f5ebf8afe2
-
SHA512
56c43fe7d3df73db1aa4e92a60540a1733e101dd17e7398bb24439149a31f3e10fabbd02e012f5fd559168717e2a061f2515c5263874a43ee5acdf25326ede3b
-
SSDEEP
12288:UvtygGVWeZ8KsJyP5sDmEei5tHhh4KmM1kTu7etCX+pd167QhEXns:oogGVWWMe5skiPHhOz9CE6EhD
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e3e7fb75cc367b5a87aaa64834803fa7.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e3e7fb75cc367b5a87aaa64834803fa7.exe
Resource
win11-20250502-en
Malware Config
Targets
-
-
Target
JaffaCakes118_e3e7fb75cc367b5a87aaa64834803fa7
-
Size
560KB
-
MD5
e3e7fb75cc367b5a87aaa64834803fa7
-
SHA1
ee815261f39d483cd0d002152b9c0099dafba947
-
SHA256
3833498dcf5e25cb7039592846f550c8f805aa77af04740fac7852f5ebf8afe2
-
SHA512
56c43fe7d3df73db1aa4e92a60540a1733e101dd17e7398bb24439149a31f3e10fabbd02e012f5fd559168717e2a061f2515c5263874a43ee5acdf25326ede3b
-
SSDEEP
12288:UvtygGVWeZ8KsJyP5sDmEei5tHhh4KmM1kTu7etCX+pd167QhEXns:oogGVWWMe5skiPHhOz9CE6EhD
-
Modifies WinLogon for persistence
-
Pykspa family
-
UAC bypass
-
Detect Pykspa worm
-
Adds policy Run key to start application
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5