Malware Analysis Report

2024-10-23 20:58

Sample ID 240408-1k6dksga4t
Target e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118
SHA256 411b208b31f28b5feb2a560f2966ca93f6000949b9f78325baf2f16261989cfb
Tags
expiro backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

411b208b31f28b5feb2a560f2966ca93f6000949b9f78325baf2f16261989cfb

Threat Level: Known bad

The file e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor

Expiro, m0yv

Expiro payload

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-08 21:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 21:43

Reported

2024-04-08 21:46

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 156

Network

N/A

Files

memory/3036-0-0x000000004A190000-0x000000004A2D3000-memory.dmp

memory/3036-3-0x000000004A190000-0x000000004A2D3000-memory.dmp

memory/3036-1-0x000000004A190000-0x000000004A2D3000-memory.dmp

memory/3036-4-0x000000004A190000-0x000000004A2D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 21:43

Reported

2024-04-08 21:46

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 740 -ip 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 276

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/740-0-0x000000004A1B0000-0x000000004A2F3000-memory.dmp

memory/740-1-0x000000004A1B0000-0x000000004A2F3000-memory.dmp

memory/740-3-0x000000004A1B0000-0x000000004A2F3000-memory.dmp

C:\Users\Admin\AppData\Local\pnbjdjjq\addokdcg.tmp

MD5 a48e03f4b544d4c38a20dfea60e53541
SHA1 feeb06620dfebe37e7afe91f901a4271770d106d
SHA256 55c97ac22be11253f141e7dadf2ecdd9798334dcc91e6947d9844f1935308a85
SHA512 3fc1ad33c06ede33b1d52d4a5220f38dc79af6d063ea7e36b66fea3508f5ac72311055f2ae7bbfbb67462951ab0cd06d7a3c58ef52f0832c2883f5456ccb946c

memory/740-12-0x000000004A1B0000-0x000000004A2F3000-memory.dmp