Malware Analysis Report

2024-10-19 08:15

Sample ID 240415-g65vdsge46
Target efca5b4c5fd58b63d0849b344da07356_JaffaCakes118
SHA256 8ff242a5decf90c7a1a9f98e621d347c0c8923d23d58b866713001676c00da60
Tags
expiro backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ff242a5decf90c7a1a9f98e621d347c0c8923d23d58b866713001676c00da60

Threat Level: Known bad

The file efca5b4c5fd58b63d0849b344da07356_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor

Expiro, m0yv

Expiro payload

Enumerates physical storage devices

Unsigned PE

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 06:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 06:25

Reported

2024-04-15 06:28

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wab C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe"

Network

N/A

Files

memory/2212-0-0x0000000001000000-0x0000000001084000-memory.dmp

memory/2212-1-0x0000000001000000-0x0000000001084000-memory.dmp

memory/2212-2-0x0000000001000000-0x0000000001084000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 06:25

Reported

2024-04-15 06:28

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wab C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1" C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

memory/3196-0-0x0000000001000000-0x0000000001084000-memory.dmp

memory/3196-1-0x0000000001000000-0x0000000001084000-memory.dmp

memory/3196-2-0x0000000001000000-0x0000000001084000-memory.dmp