Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 22:52

General

  • Target

    e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe

  • Size

    672KB

  • MD5

    e89d42e8739f1d730eadced6f6a5f428

  • SHA1

    b4975a178d419b2b47d4a9b5130ea3e0b9d991f4

  • SHA256

    043826693f7236e5353ed0f60818002fbf8122af64cb48e030fc6ce2071a48d2

  • SHA512

    e6b14bd8cc8d2735ff3f38c532341205b46e54910ec2ae5afcb2526ec79ef71fa43b50ed6d76a37b374b45e249582277775b00b60398f93cb7b0a0e828f4275b

  • SSDEEP

    12288:kCCGxTSAe2mjiVg69cvigIUeNyz9bkaF/j3yAfh3xU+LQcPWswdc:kClx20gKgIUY8eXJcrwy

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 2 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e89d42e8739f1d730eadced6f6a5f428_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3316
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4460
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1016
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2576
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4132
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2688
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3884
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      4848e631d64d6b7221b0ad943a0d7d43

      SHA1

      65e4fcd3faf271bbe79e772c96cdfadeb566a460

      SHA256

      277ddaa7b3553ab2679d7062004c71369aa869c8805ec974b5edcc7db7b309c5

      SHA512

      cf8db368e9ed48a397d07097fa5812867fe74a44bee779706e597a44cc48b7776a277a17b7beb028b06d17888e4388c89a3994f4cde8377fec392088cd369aa3

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      ce81ca056996a29ad8febbd594b7f7b5

      SHA1

      2cbf1a17fa9c2de2df2d1d30ef27fb913d61890f

      SHA256

      7bf308b3ca2e95780c57cd639d00a1eb608d2697b0b3c2e016270f39821b6b2f

      SHA512

      ddb79f4b70dc61415e63d39a754dc45d8a0cfa02a3a9085177d57c5d2f0349d5f95a614b29d8ea6d1b22e5537550336f6b05b7fc2d3de777c1d9eea732fe0de6

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      dde10ba2de20fdb3e91603b19c543191

      SHA1

      58323cb4a50a3a1168c95c05f9b775bdec6d14ee

      SHA256

      4561ceafc9e2f3bd8aead97974e5784191206bf31306e00ff8b40c7755af7cb1

      SHA512

      9ffdb76713996b9839b0cbfb0944a45f282ff90d205862909fa8579887171de5048654746036e4d021c528a2c2ef02ce4b8fd87215401578ae1996715be24524

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      ae7e5bb4d2853ee1878708d2a5084b43

      SHA1

      73cc8239a15c51dfc1bea0d8e58c1b0dd9906a87

      SHA256

      a463f6b1f9a48634361bb5ed7ed93e3eece3baed3c2e3294020c3de124ffeb9b

      SHA512

      2d9e419be329f919d2aea33b205a3071397682a62d2881cdcd7d902ea5a5ff58cd9bf8ab2a23bd0e2af25a45a77475315c277ae3fa8c920d2c00f27e09c85bde

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      b1da4c5c5a8f7bdda5336a6ad5fd5324

      SHA1

      d435a534f2fc6f014d7b6ec7dad250bb703e60c0

      SHA256

      afc3211139431020cf10c67995952de4f7d53ce138faa8f8a7c68b754255ddac

      SHA512

      e5658fea190541db0a20907ed711064984a38323d2682c11a47c1abc8afbca8f0cab556bb17c328538fcb1672da8f33e35a401cde9ee7f9fa18c0139f437efd8

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      e50db9ec1cbb2cf54a661383df11b0aa

      SHA1

      4f8e1aae350ab7264bc81c4d38bf068ee0593c5c

      SHA256

      17384052938d5e762099e675f99618eb58e17882b3d02aa75b01a30f1b2e8f4f

      SHA512

      dbb8f35e7b9cf674a50e93ced1e339d54dfc9aa7f62f1dca179dde5436a5497cad887c59766c4b40cb1650e4b3c11e1f15192302db3d74518a32f49988b6e06c

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      9913f304a129a450ed75c30385844ce3

      SHA1

      57c6c42b70398d01107332cd5673b73982157644

      SHA256

      ea292f183c05d765ce9f69b415102041967852d4e7d8988414cc75788334ab14

      SHA512

      38b85f65dd4bf8c40b26a0625512b7a397511bfbd344ff73826399a5066ada714b05b14780ffcdea82d44fd1c8270f52cd4729da083eba524f8553834f5ad53d

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      742KB

      MD5

      f886c74390adb0e6bf0506d0ae79681a

      SHA1

      4382379398fc2f4b17be7bcec5b3fe2681cbc2d4

      SHA256

      a5a5fad1dbd53bd456e8695ae8fe9269c0cfdd71b1bb7435704a21910cca9b71

      SHA512

      6058612ba83c9905df5d53ca9bbb149d969dd607755434a86634c2a1dc64645da39fdae82f302d83f02f1cc914d97ed5c4f02e11c4389da4d9ae43acf18a7033

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      2cd53ed01e9ab7024c4df5c8a6e3dae3

      SHA1

      015528ea57d4632c1a72ca691aa7502abbe7837a

      SHA256

      53ac22cf76f2a23caaad05e2f910f6462891e45f7f5537682c97c6013551f052

      SHA512

      1ec87c1d96efa3f58bba7e18e6cfd31a75dbabd89294fbc5abce82b0d491a4158916eabb2ebd45253f3c14ee487bddb55130fcf3c6795d9824750f762e3257f1

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      5a4cea8f93c69adfc66a30d37c22a9bb

      SHA1

      a93915c469b82bf3cda6bda76dfb23cc7d4391e4

      SHA256

      1f9720ad6ddf475c20bb30030ba1eeff9efb2b18b1a66c1dd145fa3f412e21f0

      SHA512

      4adcfb88db97378301414c30b77fc4ef36ae49d9af5532a6a14adc39a82fc4d83374e263d71f95fdfab6f9153028bb07ae8378a7e7b443731e8be5efb75170dd

    • C:\Program Files\Common Files\microsoft shared\Source Engine\pncpniqk.tmp

      Filesize

      637KB

      MD5

      7526a04e010960447b3b1c72797a27c3

      SHA1

      2d3963e93d012123b7f509088a583cd37c420d9b

      SHA256

      5d1563567190d7832a005a85d7a32b4cd6059cd3e0bf20b1a93932d2e20c7dc4

      SHA512

      7d80f8318c720320583b785f173d4b0f785163635b58e9db41a9ce97da9699488c0e78816702f0c63f91129e165c11bc95b48e2e6c5fa9db270441e7ca89b37e

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

      Filesize

      2.0MB

      MD5

      847c628a6e6248357aa09f49f44fc89d

      SHA1

      3e75da29d7f0c99a1b47b6909b7995b038b444e7

      SHA256

      d0d856e57da27af4728b28989b106e030af89b626566a5a0a349e6addb4aa6aa

      SHA512

      5d388a2fcbfc2e37dc8dbcaf23ab665a2179729f259c5c4b4a0b409ca09043c668eac79c5483766052ed5c0c7f61490ebef803e29ac01412e65385e631d09927

    • C:\Users\Admin\AppData\Local\njnerobm\cmd.exe

      Filesize

      682KB

      MD5

      8e73f8c5914fb90b6358c55da605bb0b

      SHA1

      485f66375097870b4a077747a1626730e458d084

      SHA256

      2f996b67134970af84424c5d5232c7ac5c6f6bbffcb193cb74c54028d9098937

      SHA512

      f9a368adb0234275b01c6606d87089e80c423c0f6d0638271ed6fbaca1f476e21d1e922675f6b76f6f69ddf563c39cb421b14464109745aa899ed1ac09731a5b

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      491KB

      MD5

      4ff0ec1515b2a7483c4ddd9cd2d3475d

      SHA1

      6b775c6dd8bf2ab515f12826cbd2e747883e1cce

      SHA256

      af2d3f0f16931b7869e318ad28a8d52e2c1272fdff979cd4722c8049a2d159a7

      SHA512

      f4aedd2d0f6010e68f6e77e76f9296de708f619c87d44e79ca80e1db13f733639fb7b2d183d901328f22982cc16fadca490766a3617c75f81c839666d3b90f66

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      8128096927e000880feb8d0def15d90f

      SHA1

      83ea888843047b054249d598dedd5f55806757fa

      SHA256

      3fb8ebd3177f0c93cd2ec9d2c3220245624398cb3cf1e0f1c7db552e24b503f9

      SHA512

      3c37ccb7c093aacb3f2b03a9c10b841f936be4b6486a69ceb16bbd6a3ba5ee0c033a534ac4477ca8c4f454c3487e4aa6d5e7ccb574d9317f46c38db28b6ea304

    • C:\Windows\System32\alg.exe

      Filesize

      493KB

      MD5

      c654a86aa42cc938576e84e24dd4a7c1

      SHA1

      bffc2b75df7e6a4cc46a97b73f59f6a30c0b83ec

      SHA256

      f77cea6b151d07b7585330841e839bf295723f2a92bc08edd7d7999e7672b872

      SHA512

      b5c1a21de9b9e01869e9a6538b3a003342689e7d14d0ac339bc7db731c731b0c74137473811cdc5654c0c0c8a15cbb93b2d57371e1788d432e6de009f9a0f937

    • C:\Windows\servicing\TrustedInstaller.exe

      Filesize

      193KB

      MD5

      805418acd5280e97074bdadca4d95195

      SHA1

      a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

      SHA256

      73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

      SHA512

      630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    • C:\odt\office2016setup.exe

      Filesize

      5.4MB

      MD5

      5666979c0474db4d7c717c2475e6fc18

      SHA1

      d3f416c0cffddd90967b3070933880608fddb32f

      SHA256

      f37bdebbd172f32a68fac8e35ad8568ef89efbabde2b1134fe96147aa50cbe23

      SHA512

      e1fe810383d77f158e222206de26671412cbc4017e21cf6f1a71381c3edb8578a9cf339b65b640a67b6544697fa88da3c21f5c40299ce1d49effb6e07435a0b5

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      640c7911c6f6cd3db36df95a799df47e

      SHA1

      3a05c75f1fcb9fe7cf601acfafbad8ef06046589

      SHA256

      9886e3944f7b7023089359a57c5017f285100c651732ec96a07e2367a903846a

      SHA512

      9dc464b46422df66caa0b1ffee7f9c147ccabcf97b02c1bdab3551671a0dc93518cc6caf6ea91ba46217856bc1224172dc0db22443b1807a5d90e644e0893240

    • memory/1016-29-0x00007FF688FE0000-0x00007FF689116000-memory.dmp

      Filesize

      1.2MB

    • memory/1016-156-0x00007FF688FE0000-0x00007FF689116000-memory.dmp

      Filesize

      1.2MB

    • memory/2688-183-0x00007FF7FA1E0000-0x00007FF7FA4A4000-memory.dmp

      Filesize

      2.8MB

    • memory/2688-44-0x00007FF7FA1E0000-0x00007FF7FA4A4000-memory.dmp

      Filesize

      2.8MB

    • memory/3316-128-0x00007FF669C50000-0x00007FF669DD0000-memory.dmp

      Filesize

      1.5MB

    • memory/3316-2-0x00007FF669C50000-0x00007FF669DD0000-memory.dmp

      Filesize

      1.5MB

    • memory/3884-189-0x00007FF727690000-0x00007FF727948000-memory.dmp

      Filesize

      2.7MB

    • memory/3884-53-0x00007FF727690000-0x00007FF727948000-memory.dmp

      Filesize

      2.7MB

    • memory/4132-37-0x00007FF630180000-0x00007FF630342000-memory.dmp

      Filesize

      1.8MB

    • memory/4132-36-0x00007FF630180000-0x00007FF630342000-memory.dmp

      Filesize

      1.8MB

    • memory/4460-144-0x00007FF6FE2E0000-0x00007FF6FE417000-memory.dmp

      Filesize

      1.2MB

    • memory/4460-45-0x00007FF6FE2E0000-0x00007FF6FE417000-memory.dmp

      Filesize

      1.2MB

    • memory/4460-17-0x00007FF6FE2E0000-0x00007FF6FE417000-memory.dmp

      Filesize

      1.2MB