General

  • Target

    ff84c3866f64b3fe3e3ebcc435c7311e_JaffaCakes118

  • Size

    672KB

  • Sample

    240421-r4ns7sde64

  • MD5

    ff84c3866f64b3fe3e3ebcc435c7311e

  • SHA1

    37e1554c055ef18f9dd7b38ab4f726d5be048961

  • SHA256

    1cec518363b7c1254352800d5e22f09ae2f0599b794edd27b0ea96bcd07d51fd

  • SHA512

    abb4d802f150b81f9b472b038787a9a710926ef8afec0b5c303fa0563c4cc733bbb1e1bb595995309aa0b151529a9d56915bd8cc4e46828ffc950704828ac13f

  • SSDEEP

    12288:8CCGxTBAe2mjiVg69cvigH0Grc6O8rIoQRRKuMqvIgxBre4LJ+PGvut:8Clxd0gKgHBdO8voR7vIgxBre4LUDt

Malware Config

Targets

    • Target

      ff84c3866f64b3fe3e3ebcc435c7311e_JaffaCakes118

    • Size

      672KB

    • MD5

      ff84c3866f64b3fe3e3ebcc435c7311e

    • SHA1

      37e1554c055ef18f9dd7b38ab4f726d5be048961

    • SHA256

      1cec518363b7c1254352800d5e22f09ae2f0599b794edd27b0ea96bcd07d51fd

    • SHA512

      abb4d802f150b81f9b472b038787a9a710926ef8afec0b5c303fa0563c4cc733bbb1e1bb595995309aa0b151529a9d56915bd8cc4e46828ffc950704828ac13f

    • SSDEEP

      12288:8CCGxTBAe2mjiVg69cvigH0Grc6O8rIoQRRKuMqvIgxBre4LJ+PGvut:8Clxd0gKgHBdO8voR7vIgxBre4LUDt

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Disables taskbar notifications via registry modification

    • Executes dropped EXE

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks