Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 11:23

General

  • Target

    f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe

  • Size

    516KB

  • MD5

    f362dd71d128ea233ba0976d61589331

  • SHA1

    e1faaf133282c1efb78ef54b3b683c651df306a7

  • SHA256

    5450d70a103c7439fb6f9887bb6660cb2e07a7d6c4f0174a4fc7397a6742403d

  • SHA512

    5a4ddf03918adc1d4081a96251175d1d7130b08aa81b9f46697ba3c0a148f1f69e7b72d37643047143a4569a744d628ce3cc931edb5d6c70b1213c45fd0a74f1

  • SSDEEP

    6144:qOOr9BJ/GKWWBNU6ITLBi0qttclOKgU91BKLB15kAydiib4xMhj7TSnRHNaNul+o:3eBNUbTVO86UAtkj7b4xMtA1NaNZeaU

Score
10/10

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/732-0-0x00007FF7D7190000-0x00007FF7D724D000-memory.dmp

    Filesize

    756KB

  • memory/732-1-0x00007FF7D7190000-0x00007FF7D724D000-memory.dmp

    Filesize

    756KB

  • memory/732-2-0x00007FF7D7190000-0x00007FF7D724D000-memory.dmp

    Filesize

    756KB