Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 11:26

General

  • Target

    f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe

  • Size

    672KB

  • MD5

    f0f21b42ad4fc3652edd2111eac1099b

  • SHA1

    0f555174e839b85c52e47eb5c66645d2ce1ac4c0

  • SHA256

    ec83c2c1eec33e0da96d042d70338877a95ab967b5882e1c6a2ebe8f11f62f0a

  • SHA512

    8cb7f96eb8c9d99b12883f148546715c495dec7e44df83bc22382319136e46a62c5470e0424dd8fdd39d6210845a4eedeea3f3d9826eb9713163b162c78e23db

  • SSDEEP

    12288:mCCGxTwAe2mjiVg69cvig2t8aLhREsG4w4hRtZx1afUbGe49:mClxc0gKg2tRREso4hTYsbxK

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 2 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2572
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1484
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4904
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:3972
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:5068
    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3184
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2492
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

      Filesize

      2.0MB

      MD5

      ba57de6587dcf695c81067a977c0a454

      SHA1

      c3ea79da6f8482b5a0f4c8bc7aeeafe2a715afd6

      SHA256

      e83baeef5e3764099a8d9d9111cff71d774afa8b2838a933de7988865ed21867

      SHA512

      b49ee778ac9494b6bc4ef246ccca5dd01bc5aee2b00d08e718c780c930d7407f1dc67c3a469c5c37ac1899b735470b176e43031651c466fb232ae5998fde6434

    • C:\Users\Admin\AppData\Local\dkiroaap\cmd.exe

      Filesize

      682KB

      MD5

      13002bbaa205db9ae35b1e747973bfc5

      SHA1

      041b6d53d426cad51ac5731d2d6586495d2a0f62

      SHA256

      c7c96a30787b0f8229eaf59b4399f47357a864b5930d9c297c3640a4d0c9e588

      SHA512

      0409a730358033985021d0dc64c4357f9dce5b4aa8a8c7f8dab70ba823c3212e3bfe22af848638481c0db30010172a2e7701112bfb576fd6ee5e02d3e3b0100d

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      491KB

      MD5

      18d57ffc76363af1fbfcb5d1ef65a3ef

      SHA1

      b154abb2f88e1bcf9c52b92e93805c63bb541db9

      SHA256

      5979bc4fc282a9ae32bf237eb11a24b929aff2bd2817280fe83969f68d1f682a

      SHA512

      7aa0c21d01971c2a12eaa27f28fa948b36c9ba26119a80ad37c152ce2899e1a17f05c5800ce419ab5b34211e724ec30f59b298c10669c528c6cc135fc98060be

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      526927b3dccb1e69abcab6b0aa7d6086

      SHA1

      2e403da115730bc64a8ace1493290244d34d0a1e

      SHA256

      629c12f45cf89043aae1cb59d8239cd248d7a451ad53ffe03530311f1ae819cb

      SHA512

      ac763d04d72eef904e7981ac4dcdf38bb342f9b101e09280a9f3a69771530a619dc7b56e09e286c3f619df6d9b8a5ff1469ff316adbd2904a9622eabc54d3c18

    • C:\Windows\System32\alg.exe

      Filesize

      493KB

      MD5

      17ed3ea573334ce5831ebd0ef514390b

      SHA1

      a306cf5674b29c406013f5cda8c6a8f50d8e85eb

      SHA256

      e88d7882d2996d07a6f8e20419fb46dd103175c447779a05f05f6899a185aa96

      SHA512

      4a2df5c824d25eeafae1403d6f2024bf30908e9d6088cf08397c405991092fef162ead1c14aa992c97d8912cf9b101f496e5d61e0fdb966f02276f1e59bdba55

    • C:\Windows\System32\msdtc.exe

      Filesize

      544KB

      MD5

      145f294892622995d680508e6b3a59c5

      SHA1

      f449a7816742693a68b2c88013478ccc09274105

      SHA256

      e81356c57b6f1ba277a441b78b00daff5988e1771112ef372281a8d51b3d6600

      SHA512

      2392113b51c7fb919f7f58291edc07118b2eedb6e8fb7ec91df0d35a7f25d9043ad573268564f45f488b3ca0ce28bb719f8bf2bd6ca6c63ba52f15dc1d090e85

    • \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      a99116296796ddf1e7370d0679043337

      SHA1

      eb4a7160a7bba1b9de17d5b5d1539ca957f5c03a

      SHA256

      e6173c8129e64c3e89a8cb7aacc02ae0d5c950a85067bc73e886e60a222a0e9c

      SHA512

      464a909e794615f2c516201b0080c738c033d4a07f1a0d37583f045f59d85a981da07fb32d0f1b36874f3ac81cc7fe60d9c58def63769d1c500ff1356ab2455f

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe

      Filesize

      637KB

      MD5

      990d189bb14a21d96acd358a8a3ff80f

      SHA1

      4be302011bad2d002179b483ab6be091d45a7b60

      SHA256

      456cfe0e4e4bc4f70d37adf2926fb590af9b08c64530a2a3b238c254626a6664

      SHA512

      4df016026ccd6ec6ef41dd3a7c1286daf3c05f9acaec101de1d802c9fcaa7abfa2af9d79c94bb1c8f65893ba5c9f06c27a5745393fdc74781a6fd7fe5950a87f

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      5d6fc1027c3e34ea0084f5763dfee5ea

      SHA1

      b37e5726c0db7722340434a05036be3cbe4f0057

      SHA256

      22c3e98f58bb51ddc62113bf70560d131b407cf5e275fdaf78d7fdbd105ff55b

      SHA512

      6a09ed89b21cc41c140a124979e3acf24c782eeb203691e9dd2fe7527ebc4a61f48689ff949bf3932631396d9b3e6aee861e429f2951b005622b2683de53235a

    • memory/1484-17-0x00007FF71B450000-0x00007FF71B587000-memory.dmp

      Filesize

      1.2MB

    • memory/1484-23-0x00007FF71B450000-0x00007FF71B587000-memory.dmp

      Filesize

      1.2MB

    • memory/1484-72-0x00007FF71B450000-0x00007FF71B587000-memory.dmp

      Filesize

      1.2MB

    • memory/2492-105-0x00007FF7B2C90000-0x00007FF7B2F48000-memory.dmp

      Filesize

      2.7MB

    • memory/2492-60-0x00007FF7B2C90000-0x00007FF7B2F48000-memory.dmp

      Filesize

      2.7MB

    • memory/2572-39-0x00007FF6D0840000-0x00007FF6D09C0000-memory.dmp

      Filesize

      1.5MB

    • memory/2572-2-0x00007FF6D0840000-0x00007FF6D09C0000-memory.dmp

      Filesize

      1.5MB

    • memory/2572-1-0x00007FF6D0840000-0x00007FF6D09C0000-memory.dmp

      Filesize

      1.5MB

    • memory/3184-104-0x00007FF6E0240000-0x00007FF6E0518000-memory.dmp

      Filesize

      2.8MB

    • memory/3184-57-0x00007FF6E0240000-0x00007FF6E0518000-memory.dmp

      Filesize

      2.8MB

    • memory/4536-73-0x00007FF7A4E80000-0x00007FF7A4FC6000-memory.dmp

      Filesize

      1.3MB

    • memory/4536-111-0x00007FF7A4E80000-0x00007FF7A4FC6000-memory.dmp

      Filesize

      1.3MB

    • memory/4904-88-0x00007FF7C3070000-0x00007FF7C31A6000-memory.dmp

      Filesize

      1.2MB

    • memory/4904-31-0x00007FF7C3070000-0x00007FF7C31A6000-memory.dmp

      Filesize

      1.2MB

    • memory/5068-45-0x00007FF7A6770000-0x00007FF7A6932000-memory.dmp

      Filesize

      1.8MB

    • memory/5068-40-0x00007FF7A6770000-0x00007FF7A6932000-memory.dmp

      Filesize

      1.8MB