Malware Analysis Report

2024-10-19 08:14

Sample ID 240416-nhk9eaah5v
Target f362dd71d128ea233ba0976d61589331_JaffaCakes118
SHA256 5450d70a103c7439fb6f9887bb6660cb2e07a7d6c4f0174a4fc7397a6742403d
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5450d70a103c7439fb6f9887bb6660cb2e07a7d6c4f0174a4fc7397a6742403d

Threat Level: Known bad

The file f362dd71d128ea233ba0976d61589331_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Loads dropped DLL

Windows security modification

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 11:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 11:23

Reported

2024-04-16 11:26

Platform

win7-20240221-en

Max time kernel

92s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3787592910-3720486031-2929222812-1000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3787592910-3720486031-2929222812-1000\EnableNotifications = "0" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\J: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\O: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Q: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\W: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\E: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\G: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\H: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\R: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\S: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\U: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\X: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\I: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\M: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\N: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\T: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\V: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\Z: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\K: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\L: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened (read-only) \??\P: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\ieetwcollector.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\fcghnmce.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\ieetwcollector.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\idcgmocn.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\system32\dkocaqcp.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\ofnbnqdo.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\ui0detect.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\qnklkkkd.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\ncnqkmkk.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\mozilla maintenance service\qfjcfggd.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\gejpjiok.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ddibegkm.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\program files\google\chrome\Application\106.0.5249.119\modjhibg.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mbpdmfji.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework\v4.0.30319\ajikhphp.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\jkjacjpn.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\jkepffmm.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\ehome\ehrecvr.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\ehome\ijehhond.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\cfkhminb.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2BA4CE36-22F5-4282-969B-C71353419666}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\ehome\ehrecvr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created \??\c:\windows\microsoft.net\framework64\v2.0.50727\hffqmfpc.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created \??\c:\windows\ehome\hfbgnjda.tmp C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2BA4CE36-22F5-4282-969B-C71353419666}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 198 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 228 -NGENProcess 208 -Pipe 224 -Comment "NGen Worker Process"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

Network

N/A

Files

memory/1252-0-0x000000013F4F0000-0x000000013F5AD000-memory.dmp

memory/1252-1-0x000000013F4F0000-0x000000013F5AD000-memory.dmp

memory/1252-2-0x000000013F4F0000-0x000000013F5AD000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 07623b9bc15a647ac3ba8ffd9eb16305
SHA1 e2df30634f8d2e565de8800e6f2c11cdbf7fe137
SHA256 8e2b57fbb8aa21570852831757849159175e73a997427e34d17caaeb31fd21fd
SHA512 a7843c76dd68c4631c481f292cdce210babe89a3ab7979083b890a3e1d8b283d04e260e431a83a1f5618534451ccd2c29f732e33e9dfd888c9f15b02bf35ed19

memory/1252-17-0x000000013F4F0000-0x000000013F5AD000-memory.dmp

memory/2564-18-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2564-19-0x0000000010000000-0x00000000100B2000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 c00a7f11108f8b006f99e17ae922d21d
SHA1 a9374642cb47dc0d2875194e7fa044b0d2996735
SHA256 ef2032ce6f6b36fe03e9948786340c2953e757b13727729cc3fbf56beed96b81
SHA512 91ed3f6a1b17abc851b799ecaaef9444d721c0481512c7e1cb9e7a81ac875490af1c5140063120ed6393eefc224b60b6ea98d029f5fbe3a753529ea0c5bbf08d

memory/2564-26-0x0000000010000000-0x00000000100B2000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 dc2834c53f38796f0bb3a04d44abef5d
SHA1 6604d9c7feb9acdd2efae8a61560d96fab495ec5
SHA256 a5f305427c7210f37dee719d846185d496b0344157c05deeec3e79f495e8dd39
SHA512 ccfc5c1593f042174ef0299203068d25ad69a54badbd8936943b0ac521fe384245ec1147f2d1a71f058b301010b1aeed14c6617b1fb353ef88cd541619ba25ff

memory/2432-34-0x0000000010000000-0x00000000100CA000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 5752edcd9a36f15b74aefb44217d8017
SHA1 2925da7d466315236881c67620e28f8e20fba1af
SHA256 4aee9d0106c4cb1e91f5483ef66bc9d9027d3c7516a1ff53634f35991d3bfa17
SHA512 9d5753c45341f2ec2da24602f38c3e1d2a91764cad882655f0bebed55de8dd5a111fb9f646d11df3b615ce15a1127b1b353512505a719ec05db3a1ec86172a3e

memory/2432-38-0x0000000010000000-0x00000000100CA000-memory.dmp

memory/2432-42-0x0000000010000000-0x00000000100CA000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 e566311c92ceb15feba0b0848ef715cb
SHA1 65a3790078b010bfe3fce00e5696060911f7f400
SHA256 f97d99cfa54379c1ac7550bd2fe7b36f5727b39003f20380537ed44c5f2cbbf2
SHA512 1502126cfa09d7d010b0fc9921c4e15e9b03b42d6a9ed1d94316cd08f77d86838e55c937f7e0adb0198e2e7f8a5f1a4e0460f237ea46239d55db091a6c1210ad

\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 a6047a8b72a939381222c048cf13a623
SHA1 21b5087d3d7300f296b2432e0fbff740ea06b5cb
SHA256 1d8021df0aff2ad897ef55b01e548a89ceb8de889e8d01926cdbedbfa216f1de
SHA512 e865074ef1a169be5880c366a5fcef58cfb4f66d8389287a3cd37d539e99d232dcbe0755b9c503aae4aa9d16fec8d73dcd5344cf96697ec5930f13ffa1e43eb5

memory/684-54-0x000000013FD40000-0x000000013FE11000-memory.dmp

memory/684-55-0x000000013FD40000-0x000000013FE11000-memory.dmp

C:\Windows\System32\dllhost.exe

MD5 6547287f46a787cacd2cfdd4e97d78da
SHA1 d83d00201159df05e97467df6ef455a41a1bf6ea
SHA256 56be8a2270369de2c07f8aa1e8d4c7125511614ea214dc9d1253c582ca435c45
SHA512 3fc7c33c910d65a7f2ac0ff345b57da5d7581369a959640dbbc751b24aa53ee554ebaf8912ecce6a288212464ff0ca189c67c32c2abf3a8772f8b79efc8a1e79

memory/1372-67-0x00000000FFDB0000-0x00000000FFE68000-memory.dmp

memory/1372-68-0x00000000FFDB0000-0x00000000FFE68000-memory.dmp

memory/684-72-0x000000013FD40000-0x000000013FE11000-memory.dmp

memory/2532-73-0x000000013FD40000-0x000000013FE11000-memory.dmp

\??\c:\windows\system32\alg.exe

MD5 91e2d65c58d3ecb4fec8b0c53d53cb2a
SHA1 b77971c65f845a27aa9523661e4d92b5b4871051
SHA256 273c6cd234d04b2d113e00883d9902a3da6bda65352133381ffc4f572f0100dc
SHA512 7f381168e082145d9ba6afd18ed8f78afc1b5afaef117755f91587346a091eca4072c9c06570371c8008179b1a3e0e77d64964d9035656081a682a05d7b9134a

memory/2532-75-0x000000013FD40000-0x000000013FE11000-memory.dmp

\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

MD5 c1623b03458c3f057e91d3daacacbf30
SHA1 2b71cb845b75edb1d0937a21e44246f5230b668b
SHA256 a2d150055b94977ef58a8f304f3ed03fc7f709034aa3c948af4065c196cfca77
SHA512 5422db1ef286722ea76979d5e20fd094c89bc7a113254338243987eb675c43c37a45e82c8d4dac161094d91c489e4852282f27e8f9a4d0c556247acab5c72e12

\??\c:\windows\ehome\ehrecvr.exe

MD5 56960f22a7bc0e5c6a166c633fc38239
SHA1 125f2a9c89ef07447ae2577c56eb39bfb29e71a0
SHA256 12cb2c474a0a1903f95e5b6ee98d3b310bff3ea28f94b2b3f61700b185eab02b
SHA512 02d95ba7892d08885cd21ca36e0e50539c6109f203340c54a786f0e44f4350b52c8e0d74caf8c40d692e12ecb53dac20b6ea9b66ca0ec8a8c2ac4bfbe9ed0cd2

memory/2532-92-0x000000013FD40000-0x000000013FE11000-memory.dmp

\??\c:\windows\ehome\ehsched.exe

MD5 380717b8f63f09e0ef480892350410db
SHA1 7e7ae7c30567456c43bb0adb9332032cfa6132ce
SHA256 fb31970804ef8c3fd93188b80a51e46ecd3a28077473a243c7d9b78cae291c92
SHA512 66d4d07b3aa5c98d0694d0cb5579888af41651d61c4dbc6573aab814c56a8b13848a91094903ac6012e2c5e7b8e8a78d4c7c7ca5370f0ebd3de05e05e828a365

memory/2532-94-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

memory/392-95-0x000000013FD40000-0x000000013FE11000-memory.dmp

\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 719e69f871aaf5f4131cb18f71b75065
SHA1 d20115f3ca22f32a410faf394a042e6cedf3934b
SHA256 d5d8fe2e4c4ab18939b3e22bee29c083d3536f9591a15fdeb22b59ab9b4843d2
SHA512 fabb8b2baae71dc84ba9a94a152980ddf6436e49a48843adbdca67dc55005d11e23f40d1571f30c0e305513d5373bbf7f14ea5a4bfb96d956b2a17855882a3f5

memory/392-103-0x000000013FD40000-0x000000013FE11000-memory.dmp

memory/2928-104-0x000000013FDF0000-0x000000014004A000-memory.dmp

memory/392-102-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

memory/2928-105-0x000000013FDF0000-0x000000014004A000-memory.dmp

\??\c:\windows\system32\fxssvc.exe

MD5 5612537b356833ae5e71087578276623
SHA1 e0f2dcecdec7695a718d5b8d85131876a04381e1
SHA256 2f10df661b238724df5517682e203fe05f61dbc441a2647e44456da8a576b905
SHA512 c0ff8b46b8942131b02caee48dc9e5becc3719a16aa1e51ab8d81013f5368e5e199d38ad7a592fdad21544966f3a06b63fb88e02eca20f69679225eba9ca26c0

memory/684-112-0x000000013FD40000-0x000000013FE11000-memory.dmp

\??\c:\program files (x86)\microsoft office\office14\groove.exe

MD5 fccf4e45a86209c37893a0e5ee9ee677
SHA1 5622e8ede7aea8c8bce9a96afbed77d4d803f292
SHA256 b7a391082f106c4ab253f9f3da53e2b5d68785b7fcd80b9651b9dfa6de6d7c97
SHA512 321bb1c0134410f462d09864baeced01d5dd6fe17cd6e26af830c4cd7d38dd9628dfbbc36d2050db500991b9af6f90862ae7be272937aa5c58f71c9afd47a526

\??\c:\windows\system32\msdtc.exe

MD5 1fc4a22f83f3837f96609e1cfe3922e0
SHA1 20f0d3fdd58ea123de071b50b21bf705d05679a5
SHA256 54a4d43de8e9f124b50693c25b3ae40d4603cc0a027d9cf28f565ec4aa9ab9ec
SHA512 bfce44418c2b573e5e8bbbbf4a387d755bd676bc57460aa2a8e6aee2d28d03125ecba64018fa8a37beafb05deb286fc8a51bf8aefb18b57a638b8069e2cbb6c0

memory/1372-132-0x00000000FFDB0000-0x00000000FFE68000-memory.dmp

memory/392-133-0x000000013FD40000-0x000000013FE11000-memory.dmp

memory/392-138-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

memory/2532-151-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

memory/2928-156-0x000000013FDF0000-0x000000014004A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 11:23

Reported

2024-04-16 11:26

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

memory/732-0-0x00007FF7D7190000-0x00007FF7D724D000-memory.dmp

memory/732-1-0x00007FF7D7190000-0x00007FF7D724D000-memory.dmp

memory/732-2-0x00007FF7D7190000-0x00007FF7D724D000-memory.dmp