Analysis

  • max time kernel
    169s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:41

General

  • Target

    f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe

  • Size

    705KB

  • MD5

    f5e803f430fcd2bb59b59604d3b42063

  • SHA1

    22b93f1ece7ccfb039acf7ff6d164e9ba3977034

  • SHA256

    084f787a0c52d0282f9867cb2555ef2ff38185c35f4165115fe6082671623da8

  • SHA512

    9742ba227bae6ffaa93ceb823dd2792d3c7e49548c9d6a042c79bc18290d4cd8636e57f2841a9b7832f5ba45b715215ede9f9bb13511a9f434ab69b7bda1b62e

  • SSDEEP

    12288:9DJnJM4OpSpnO8kTslsIqrQAq/LE9Eb97BeGdypTRvcoI:lJnJM4OqTWWsIqrQAq/LE9EJ7BeGd46o

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 2 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2708
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1180
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:788
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1048
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:8
    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2808
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3692
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3344
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Mozilla Maintenance Service\hjdjfejk.tmp

      Filesize

      629KB

      MD5

      e9024cc3ebe62d0ef5665438a5189593

      SHA1

      bb85b88eb140ddd0e43aae1a9e7a2ba47d30421b

      SHA256

      7937452bd1f279d36be3ee64d96c3ffd272a028ca94864cb81452adcb15aca40

      SHA512

      8fb379cfa1972c8888ec59a8a1b9fa9db944636459cbcf7d563c8bcb4216430df1cefd2803071b45602c983cfd9e10a80a97afb2d1a438c6d56b2bc09530008a

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      17fe65e9797e4b6bfe8381c696a583b8

      SHA1

      f69370d3c1e8c14c9fc2aec620832653bef78008

      SHA256

      5c8e88d20f3bd36a0ef4ff34c966edd91700f8caab47ba76b9193ddcaacc8216

      SHA512

      b7adf5df40c635b78a342bb0433acda6c9041f84a319b49969df33733a4ddeec94f9af88ef9964e713eb8335a164b18e075b7957fa02a880733e5cf6737b67be

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      333cde0b5a3ef63e3f3ff556dcf69b21

      SHA1

      0d29c082891af5ab300d1b8b2ba67beb618941d9

      SHA256

      6675b041d536794227dd306aab71a9be8ea3d1e7cfe8943e35c1849fe2147fdb

      SHA512

      714cdd9b21fd2779c5e7c134df3bc54946aa21898f94bd826aebb540fff2e22980b878923fbf59d0ebe1b69e6dd332de528ee8bd0e1669711ba43b48f5d3d3c2

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      fb8aff3fe4580b8854c50158b0676a3b

      SHA1

      d09c20b2899bd55b8aa81f8dd8208abeba2c48f1

      SHA256

      da21243cc5490ac66eae80bcd14ace01031681d46878d3b337cb151bfaaa2f64

      SHA512

      5ab23c2c3d79ca6f6653bf1e9793c97e198bc187aeb828f483f2499f60ddf79adb2b543e60b1583ec2c466218837048d50b813bdcc87f1496e90a49c239474d2

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      2930287660243b5b92a6633bb775297f

      SHA1

      ae4c780a29374344c1c4b3662864fa7aaf38cd79

      SHA256

      d1b26e36ecda068173e4f1d8707b1dce5b843a7d2ed1f7b89df6b07b4154c244

      SHA512

      bdf818efa67126f60190b60c382d6bba2de431a888025315b780f06378c166ee0649ba013ef48405d680277f1fd9f22d636f4c16a8acef65e319e358ea237cf7

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      7e36c90f774b89dc10cf070498d82196

      SHA1

      ea0d91fb0846f4dfa4dfd33a987dd46fb17c6bab

      SHA256

      c4d012039166dc4c53228adec243ccb9bf53e9fa7bc2dbde5e5c811ca030de80

      SHA512

      735ae32f003d9210fcf83b49a66882bb82e1c8e0c03cc4209f7d1563737a5242a9d86316a39116d36d8da6474734a0c334cc9e565fbeb8d5d87848b20f8d391a

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      48b4f58568be0bc76a31bca42c89608d

      SHA1

      7031eb790c4ba3983338492a7d74d8b2d5d8b6fe

      SHA256

      9898e14e098676b1101d061ea1244fd0d5b5d3fb257ca0f94973f53ea51c2029

      SHA512

      c5164814712ce6e2b5b4a8d593c8f4cb49ff36a78fd40a435dca935edca225fd6a7631b459dbf8121f9b505ff1945859e20f65d373ac938b8d910cf2825f7422

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      8596c6a9e61740e371b829f900fa9c48

      SHA1

      36febda21bd1ee56d64538ad8a5f79760304dfc6

      SHA256

      b55d9a6d0bfcfb4aed026ea984223066baf0884e49f9d908aab2ef033932cec3

      SHA512

      f8563085e048d4d4ca920711e9748a5e89d50f7542b11f85fa2febabceca629dc848afd61d7fb29422ebffeef4eb02588eea872db252618260ffc47989427fbe

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      fbccf125d51fe0a761949300453c88d2

      SHA1

      588e8dac53ff6917459287f744f95acc144d2aec

      SHA256

      37879ddbd57de04b167fcd838d3ee322abe486aa97823a02e41802ea46779967

      SHA512

      f7ab38b19afab2ff1a321b5e7f20358ed7dae6fd7f1f0349b21ec505b8840244544168be9811df2c74fd59f510be9487b10e3466c2738a21a0266af8db2dfdfa

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      e030e9eb118315318ec3089062937d88

      SHA1

      beea9de7223d048c7d30fd83cd1300133d0b1c61

      SHA256

      482be16853f7dce0b351102bd3a6040ebe40fce5136f7988a5c205cec5177262

      SHA512

      0afda596f53f06a3466fb22d8d78ce9560af5ca9edbd85c7466ff3d643c029b48e63cb606e3cd9963fdc924fb9b5e2e32666b7d20404ab3d197c99ed8f359ad2

    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

      Filesize

      2.0MB

      MD5

      2decc1a4d41f890591a0396ea351d4bb

      SHA1

      dfb1af01c73f8532f284e169656579396f77b36c

      SHA256

      db69b1874aded596550a3f0c766598b6dd67b5a4d7a4b7056dbe27ea5de1cda9

      SHA512

      5bb9d8905e125cb0b5ad91a27538fb9345960d3f631088917136e55078404169683e21035234f370c88dd1b0d4008f10e0d7363641e635e5dee1cd239acf9c32

    • C:\Users\Admin\AppData\Local\rdrmlbrm\mclkkcml.tmp

      Filesize

      678KB

      MD5

      bf9d5894e0dee248b9da7a8e2b719aca

      SHA1

      6483dcf948b792493bc35b027cdf8bad62b2533b

      SHA256

      2823706e1dd72296462b7ed85cb827a796b67fd64c13aa37c9273d0962f29e75

      SHA512

      d3f02ed02ce6dcbf2bbadc32c41226c89bd1e4614e32c54146b25f9e0a8e2c2843eeb523e97f9d7312a758c38c7c9943752c51ea61c8aeb1fc4ab1a986c5ca13

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      ed6debd678960acf2543a0e65acab077

      SHA1

      bdef1655ba7501d110de4f51f59b427fe69100d0

      SHA256

      05256ed56a94a9daf6dcdb2088d3b7440e00c43d9c50bf2fdbd2e0aaab2369c3

      SHA512

      9a25a7796e0d2e55556b5a36f0bbdf0e2439404ecf3966ff4027e6e46af6fc7467e02be375c94250150fa74a7aeb2c378e4ceec6a77a022c0b41f39ab03de5f5

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      eb229355a3df44551eee45d34cb16dad

      SHA1

      e38afef85034a1e1b54095634126f049d27d1434

      SHA256

      4a80663fddfec69102497e79e7b6ea4ded9dac07c088e8ac04a6bb6896a4338c

      SHA512

      45419fa96f5cc2ce38367c5a5e022f4a1871fec049961b52beaf1108a0ef3f151f0be11e48775078a12b46ad1214c75a414954ee5a8f4c9ae1b352d38b12e519

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      7ef56091aa7fad52ac6ad0e085c52d7b

      SHA1

      084c29fb1d0f4048a287c3da85b5ded7d1880271

      SHA256

      5af6894a84a17eacbc23ffa27a324ae24f18d4b62024d3bdbc35c1c2946ec015

      SHA512

      34843577811fe870e5cc7bb57e07cf2019648bd7c2cf8c217a63f0e41ecc88654ecfec0202a7816c3c5d604d54787233f3146b3b973bd9ca9d2f62e1b8267572

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      f867682db04427536796e09a21bd64e1

      SHA1

      3aee779473c77528fb8920b1b88b9d0b6e102c74

      SHA256

      32bf17506988efe78d89ddb69c44c13d13c57d07a85e657272ab1946d6b5a01f

      SHA512

      123a6c9e931515a1a798e338073ab4d772b93ac73e31137d9f60039d164246db1f0e5c3e6e86e876a1bd64682c1e7618c790b011603aad72dbdee50c9f623c3c

    • C:\Windows\System32\msiexec.exe

      Filesize

      463KB

      MD5

      ddbff94a22b8acd4d4f7a5c0ef47f839

      SHA1

      6d78a746091545882376fad6f908f9ef25134041

      SHA256

      8c744e822d8225a444ccdeb65c2f48e5d91cc2fa09edb178feef402cb0e63774

      SHA512

      45a770fe2ae7635ecdfa357b4ac9669d08425fafab2d028cb524885174985d93cf041f9d948b291dd092639a5d18c84d47efe5e6ff5c73c6700df5a03e2e2d58

    • \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      7f01b0c7f5baa130bd5aa91057989bde

      SHA1

      4a489ce49e2a47eca1abac52148defd8e09ffd3e

      SHA256

      a6897f28ccf77cf9f010460a53585d64087353fece81305d4b6c0db9a114531f

      SHA512

      5932c81b50de10d522ec4caa5f2ef45a8461dd81e54ce086f6610e3b35c27677f1c4584f3304e580280d8841ae28aca60e62cc047d4dcdc62f4ea580c0aa1e2c

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe

      Filesize

      637KB

      MD5

      e596d8b6baf596acace85ae7cade698f

      SHA1

      ea21d9240f6065c34b55aa7fcba807db7bdd51b1

      SHA256

      71e9ab4222b094dd707f921d259f5542631a8447afd93d6f9826509474f39a43

      SHA512

      0213c113d0a680897d66630027604a5ab4cf4b2289e23944b14cc942811117eba182916fc5b0e9fd8aae8d373ddc3869f84bdb7ab22e589c257db81bfd1cf8f2

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      5509f3585c29c6e12f9816ef5a737c94

      SHA1

      e93b5ee8a3dbb95a27eb2471f0d343bd927efce4

      SHA256

      dd715cc386effa8edf0f0d1ad6994fe6357d5b870b52cc1b49aa289dec4ac7c5

      SHA512

      1b5a882a585d741d25a18c07a496ba170e125e334b283cd0585f3ba935ea09bbe29066428ab85371fb2c0dc035db3cbbcb4fa9b934d3b63d1d1520f53a61e13f

    • memory/8-37-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/8-36-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/788-141-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/788-29-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/1180-44-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/1180-135-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/1180-17-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/2708-71-0x0000000140000000-0x000000014016C000-memory.dmp

      Filesize

      1.4MB

    • memory/2708-0-0x0000000140000000-0x000000014016C000-memory.dmp

      Filesize

      1.4MB

    • memory/2708-2-0x0000000140000000-0x000000014016C000-memory.dmp

      Filesize

      1.4MB

    • memory/3344-162-0x0000000140000000-0x0000000140145000-memory.dmp

      Filesize

      1.3MB

    • memory/3344-72-0x0000000140000000-0x0000000140145000-memory.dmp

      Filesize

      1.3MB

    • memory/4896-178-0x0000000140000000-0x0000000140131000-memory.dmp

      Filesize

      1.2MB

    • memory/4896-83-0x0000000140000000-0x0000000140131000-memory.dmp

      Filesize

      1.2MB