Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 10:49

General

  • Target

    ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe

  • Size

    705KB

  • MD5

    ed3ee5d24eb6c0cc2ece39ee104626aa

  • SHA1

    4b72d7ada5932a9980d521325f4bb7f8b39396b3

  • SHA256

    fe69326fb24b5c83fa532166371c23b0707b910b96233b9db22130fa2131adab

  • SHA512

    9b5de1c6febb33aab504aa46813c24377177f48d9624436f1d247191d3631c997bf552becccaae000bdc21da67c9ef192258032b5784a417432a6fec14d3faed

  • SSDEEP

    12288:8DJnJM4OpSpnO8kTQlgtBLDAChznzLW7naDjRrI31vjAmAmvMY:AJnJM4OqTWqiBLcChznzLW7nOjRrI316

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 2 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed3ee5d24eb6c0cc2ece39ee104626aa_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4076
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4648
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4688
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2168
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1596
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:468
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:5092
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      cb932f8cdbe2e084cafea173cda56959

      SHA1

      41d57c147180f1a907f30bb43fe76cf231cb9c19

      SHA256

      33a5cba53232783f36dbe492afd47d75c1bd1e002c0d56ffbd114ce41d8f2f34

      SHA512

      c12fa87c5afb8d2802d494b5b475b222655e784833c1fe3c33bb016938bf4b9061d51532df32b1cc2f6b5f71e5ca1d8a5b4a80cc513ef2d4bac1972fb99c2a92

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

      Filesize

      613KB

      MD5

      2b8f0d05abe6d76c8df5c7591eccec6a

      SHA1

      5249c0d6afa6d25f6ffcb0947d9f6206afa8e861

      SHA256

      c504430c091148bf20fe94e8d1e05f175c15216ca8fc55e5379bcd6f25e2092b

      SHA512

      f3123793670247d529cd1aafaec154b6cba484e5b034a2597b81de7456bdcad93f90c3627259b70391cfb14d9b66ea43de928c575921eca29817c0e16ad36f0a

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      1d7aed22bc4b51ba6fe41861235a3769

      SHA1

      7b0b5f26862fa6ed9abe9034a64855ef560cfadc

      SHA256

      421e64f2f0c7672e7cb745af0b198d2b978bdffcf4889acab1bcd5688e97e51e

      SHA512

      b549db84abb62a68e600da1971a09f271cef6131d9e7a6ca4e67fe296f5b5b0f9b8b5566a983366188f3511d44504ed91c8f34cd2b7b3b975b7e36fff6d9752a

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      e47727869140dff924fb7cfa7b8cf47d

      SHA1

      141cd3554c09a500215182247576aa414315fcfb

      SHA256

      e053d4591bf2dae24ba780e172244f3d226490db118ac255352051ef086f8a66

      SHA512

      490adfe050bb1520f8a0901570c8fcc8471d3f03b29373379b46ba59ac87c43dc526d2aa1995925ae04b9ed81e53110721f3d8a45845c7e6d60138cc83eaf072

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      ff5a5821b9281ba9cc4e459949dd78fb

      SHA1

      7b6d0bc6f43c4b730c8face648d18e9a325da7fb

      SHA256

      d8b5fae661a35ec9347703f1766e4c6e6b6e5ea18fdc3699d5fdec16318b8b67

      SHA512

      70228e49dfb1e13243a1fd595c16e1deb35594f3b3a6b82bb72116d6945a4f8e5c80ce2f27dd3a25dc7d92bebe5fba92779f7c7c03ca65239635a444284288f1

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      05197379416de7458d8163e46605259c

      SHA1

      6e69e39765b59169d560d9dbe87c89b0d9df9be0

      SHA256

      ce4eb0a5a053a79f67f1b981c5be2b9a895fae02be11d9f7ff88baf980e104a7

      SHA512

      f71016be27cd952f73637c9c7af267ba2d43ce3efa269ccbf1135f180e10f3b93b13aae7a376ca4e2cf2556d5e0eb9d097af3d74fd3679954ddd2e7985bc50b6

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      c48ac31c9858a0899ce8e3ed5bc35065

      SHA1

      245c054fa45dbbdbf6fcf1fc20d63b044b9b9e08

      SHA256

      68c5f7820f141bc2ea52a3f9af393ff5eb230dd5faf08266a6255ca5588519e1

      SHA512

      b4865ea9d1864252127d0fb8c21ff1e294c94e564a039d28f7181826382ae806c3faf663b780bc994dbc6176b651393f8dad5adb9015d21b695de4ae602718f7

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      0f748059ae0c67a1320a0b881cd6cdc8

      SHA1

      956b631e0a4bc5164d6ed1bb2c7d4735e3ff7c97

      SHA256

      4940cfa3cbbda84cc549d5ce5c9acedfb0dd9f26ecd5a534c87b0dedd496dd2d

      SHA512

      32b98b038d0bf33154fe605952a473b32b7fd1b0b294c85e08135d5e8a8f9c5bf8c90eb7132d6b13dc3ad6d446750a52a54dcb7bf58c2be22699631e5b9cc6a3

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      feece3ad778e31679725bd59404a6974

      SHA1

      c35728dd7a9ac68fc40741dfdcb17e20381c04ad

      SHA256

      00f2398934b33502dc17652c9c29b8ef7871022c08ee90cde5eb6554934d856e

      SHA512

      1ae87bb8751e1741e8827e08244fd2d780f9aff1576943f4eecb70f4f8c3489d49d2466848764f8e0c916c420633b0de9a2aea53a778a2eeaa2b655e0f61c03b

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      cb658fb56776f7ccdc60e98db8c90726

      SHA1

      15fe6c6d59d39c64741208710bf7f951f8ca0b87

      SHA256

      aad7a894379070fd42dd3934abe0ea80ea958ef4f0282dbad2836ca615de4a62

      SHA512

      9ab63cbd63318c4a9adaf0237074b0b7007c1ca918b494a61d1b96274c5190a1e695485bf91f7dab1e064947f8a190419965329136e4e3d4731269d286655c88

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      4fb9764fd798863a62d6c37f7d5a85f6

      SHA1

      bf235dc4cecd39f51914aad973bf52c1bd309a38

      SHA256

      deca762c55bb9e8c6ea1b61ec71c943ce48393d93f1e72792cc5abdfeb602061

      SHA512

      fd361e213cb3e05f263560145286153ae4f0737bc6cfb2227a68b7f80fb7d20abbd16497bc4444ef461573984af725fb2f96163a845af8541f1ae179020ff9a2

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

      Filesize

      2.0MB

      MD5

      9cb664b660fc1b8ea686c49146148561

      SHA1

      afa5b7f53c415a14083714d0b231b159b2a9dcee

      SHA256

      fe359707d5108547a76b1b180e3be5df4c1b9e1cf02f0c812d1740c20bdd64ca

      SHA512

      a6e3a1ef1465a179955c8ef5152781bc9cd5d1c706ecb6cc72b1426abd0c4f8ab447211cbc992278d9d82789dedc2110506a7a92736b308af8a1b614b8e9f484

    • C:\Users\Admin\AppData\Local\ddpomjpj\doflqeob.tmp

      Filesize

      678KB

      MD5

      5fd5e62761da7e540df6d9abecd2452a

      SHA1

      83c6dd33c7b1fd0241d1e4b052cbf840f1553f55

      SHA256

      c79a85f362703652a00e10822e8b27ec48a9bc907e624ee72bc284f7ca15946e

      SHA512

      1788476f018ee17eb88fe719974d772cabc028184af8c680916c47e9212c8a7a9f1e4b3a6333418cb75671fd941ae0bbf32f35e41f73bbbba0506a368f9e355a

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      35d081774b51aa6551939d6e1bc0c2d5

      SHA1

      222a55fa32f6bea4bf509e7db218f90e9055ee00

      SHA256

      e7ade68a6891b837790345abf68de24f5dc8f450ac1526cb1895a148bfed0c40

      SHA512

      f2a9861dca43bb5817ebd5cde8bb4d6e4483e6ec069358c34314e065e001e672a46f00f97aed9c3c05d3629deeda8abd8c5da8044ed894cb025680431932d77c

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      c20b7245e1f4dbeae492852eda4f9249

      SHA1

      a2df66a1a7a6cbe8f1ff901ff025d73152ffc2a7

      SHA256

      6917c742db2e0df543edb5a890a65e5f09d4ee45ad08578ffa3ca7001cfcc358

      SHA512

      18f7c67c5459fa310ea07cecc7d4ad199d8b01c3b0f6c1781720dfec48f663014be325b77922f8ea25ea8c4b17ea1199eda42552549d424110b18c984aefba90

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      992e3a33ab00840394e34d2979b773ea

      SHA1

      b23cbc9684ae32b952f2f32fbd05e4cdd48d0f6f

      SHA256

      735ce48999b5b5d6db84609e3384a91f61c1e075aa8d6110cfec572035388e41

      SHA512

      5f62fe5f68429ecb26a5ad869d5f88fcac8ff1fc1f74f2108bd87b8b655890fb3449fc9242f71edfdf27ef75d5560aa0fdcc481875d37fafe576364a9332354e

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      404f5a6de9f1f21961f9eba52c6a6540

      SHA1

      fe3a2c0f48d35fbb66d33ecc29b3d39f627683a2

      SHA256

      bdb045e81c722e42faa4d6d74d579f28152257233064a687eea1431c4d351229

      SHA512

      aedbb03dc490edc3a999596d687f616e632fbbe670a5e87e8ed186a7f6ec7e0f0d8c6548a5c87ceb4715fb7233c67deab00310cba6d2e8915a3a3e5a3ef9de46

    • C:\odt\office2016setup.exe

      Filesize

      5.4MB

      MD5

      18c671af730e4a1ee8e111b7c4e92a40

      SHA1

      9a6ae7d815434aae1bbf2c962195367893d90c95

      SHA256

      b5b1be5d1fb1a61c8158bb4a63a4cd8b31803625b0c0d4b62628fa844640856b

      SHA512

      cf0bc2cc804f70c4e806aae53898f74b1eee4c6f34d0003b0f5a207e39cb53d6f60f1c7a7430e799e278a993873657820c0f16c7072ba4ae4c7f3008425fa47f

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe

      Filesize

      637KB

      MD5

      5133701ba4b1789ecc9f8109b235776d

      SHA1

      10a98d54b22eb686c5f3bcb641639f396a2b417b

      SHA256

      edd6c0dc9b1d6ec6706b9c1af99dc5549b6c0acda6f76ef8436872b838c1b28a

      SHA512

      3db5fd84c7e2294dd7a7af0f53e591a573bcae77fb946570a8368bf5ba75ec34c5cc9ab4fdafde318c2df0512aeaf44b99895d0f0222ac7a88079742f6960d91

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      d8d5ce39d3e894de50d18451a6341ca6

      SHA1

      2707e184b3b5697a7d9dd801179768b2a831b058

      SHA256

      9a4e24e3612d57b4bfd1159883c5809e8f5345a4109c1fa1112bb9d2ed3d881c

      SHA512

      8e7c7903e9ad33ac8413a93d0528530aa7d694919d6a8ddd0ec4e6aacd315b8e868c9f5ddb0df6c4283c7d8c92166d6b254807d9f618c2dc1037e558ce01a84d

    • \??\c:\windows\system32\locator.exe

      Filesize

      406KB

      MD5

      87847f6ea37ef8800575502178e6bfe2

      SHA1

      bee569effbf58f7a70e6ff10d3c4f5ad3fbf69ff

      SHA256

      03047b16ab6217bca97972444e21ff8ccad22b70f8a2932243a94accc26f2b20

      SHA512

      75598aa3dd413c57ac0a2c632e391acbb6d99b865bb919e59fef28ca0a8a3ea48f662575fb5817d19055b0124be0c656ca320dd8ccc837c64635ab9c9de57b88

    • \??\c:\windows\system32\msiexec.exe

      Filesize

      463KB

      MD5

      3fec2c0df39b723654efdcad20b11805

      SHA1

      f7b72a3a2207e523ffbe068b282542a348fc6563

      SHA256

      a2187d5c3b3bd13b13a6532711da2d9f73d499097e398046f9b005f12194eb13

      SHA512

      b2feebc13b5128ec532660937f0eb1d4c7d78a3cebd135b3a2359f699289c245c35cac5a49a22896ee740b3f6754bd386c9aa660c35e4d16808e8eedd8d5e47a

    • \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe

      Filesize

      499KB

      MD5

      b8f99c9e8e913c3d71fac658e96036fa

      SHA1

      5a84d90e7d0c1ee2ee3a952cfb064924d9c8bbe6

      SHA256

      1923689b7a25c6e46c67ec853a8800f76c6f4d397e0b5a02230f404b4a8a4000

      SHA512

      b08e80c6983031b40a2acd58d80c44c006385a35ea079b78113c7f9e872643a3e98a8ad931df59b59485d4feb7df7709d7ee6a1c8c4fcaed81ce8e7b0c92d018

    • \??\c:\windows\system32\sensordataservice.exe

      Filesize

      1.6MB

      MD5

      102547fd0fb5eae3ffa72dfe002cfe1f

      SHA1

      aa53c8145de4ecc1ca1fc1e9f50be90455a75c49

      SHA256

      1317e55f993e58f3a983c0a26c85cdc42122b9a884572a91fa9f86a0ffb5499f

      SHA512

      dbaa7bf38488e1d94500f6d3afd9b712597dce999d9c9ebcf1876b567d633464ee5fcd2c6a1e6f3df704cf1c56932cbdb03556ab45231ae47d575c2515516a9d

    • \??\c:\windows\syswow64\perfhost.exe

      Filesize

      416KB

      MD5

      13812baf05067cdd89afb5c962f12820

      SHA1

      a8b6da84ad2843e1c406f6d1cfad50404383e1ac

      SHA256

      3207ec5d3869b07609f2bb851068b67b8d8022605d4bf0c379db90819442147f

      SHA512

      a714faa03be05ac5a61bff90379618ebaabb894c62a3bb913930ca4e41dc45a2f6e32e2fb4da2079f8fde2c4a211917849034f954f1a42e39abdf970128594aa

    • memory/4076-142-0x0000000140000000-0x000000014016C000-memory.dmp

      Filesize

      1.4MB

    • memory/4076-0-0x0000000140000000-0x000000014016C000-memory.dmp

      Filesize

      1.4MB

    • memory/4076-2-0x0000000140000000-0x000000014016C000-memory.dmp

      Filesize

      1.4MB

    • memory/4560-43-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/4560-36-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/4648-223-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/4648-59-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/4648-17-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/4688-239-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/4688-29-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/4928-241-0x0000000140000000-0x0000000140145000-memory.dmp

      Filesize

      1.3MB

    • memory/4928-68-0x0000000140000000-0x0000000140145000-memory.dmp

      Filesize

      1.3MB

    • memory/5092-58-0x00007FF7C9550000-0x00007FF7C96A7000-memory.dmp

      Filesize

      1.3MB

    • memory/5092-56-0x00007FF7C9550000-0x00007FF7C96A7000-memory.dmp

      Filesize

      1.3MB