expiro | a57aa42b392124188716088c90835ba9c708edbbbb017cb009c6819643f50f42

General

Target

213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe
Size

60KB
MD5

213da720fe5ecdc950445fe44e3f585b
SHA1

3622c4d856a1628d68eaf52eb1bf4a0815a6b817
SHA256

a57aa42b392124188716088c90835ba9c708edbbbb017cb009c6819643f50f42
SHA512

5878b4113fe6a41c0e4e66df091af57e8f1b192253bc235f41d9413a49836866acc25501ef6b9b7af685cb0d7937a1622a064cfeb4996c81e1e95dbb98088d48
SSDEEP

768:0E30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:F+PeXonnUStQXDI4spvVp+N8NECtH3T

Score

10^/10

expiro backdoor persistence

Malware Config

Signatures

Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2988-14-0x0000000000400000-0x000000000040B000-memory.dmp	family_expiro2
behavioral1/memory/2988-28-0x0000000000400000-0x000000000040B000-memory.dmp	family_expiro2
behavioral1/memory/2656-45-0x0000000000400000-0x000000000040B000-memory.dmp	family_expiro2
behavioral1/memory/2656-44-0x0000000000400000-0x000000000040B000-memory.dmp	family_expiro2
behavioral1/memory/2656-47-0x0000000000400000-0x000000000040B000-memory.dmp	family_expiro2

Executes dropped EXE 2 IoCs

pid	Process
2180	service114.exe
2656	service114.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe
2988	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service114.exe"	service114.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service114.exe"	service114.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	service114.exe
File opened (read-only)	\??\F:	service114.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service114.exe"	service114.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\service114.exe	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\service114.exe	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2180 set thread context of 2656	2180	service114.exe	30

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2988	2912	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2180	2988	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	29
PID 2988 wrote to memory of 2180	2988	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	29
PID 2988 wrote to memory of 2180	2988	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	29
PID 2988 wrote to memory of 2180	2988	213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30
PID 2180 wrote to memory of 2656	2180	service114.exe	30

C:\Users\Admin\AppData\Local\Temp\213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\213da720fe5ecdc950445fe44e3f585b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\service114.exe
    -n
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\service114.exe
      -n
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Modifies WinLogon
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\service114.exe

Filesize
60KB

MD5
213da720fe5ecdc950445fe44e3f585b

SHA1
3622c4d856a1628d68eaf52eb1bf4a0815a6b817

SHA256
a57aa42b392124188716088c90835ba9c708edbbbb017cb009c6819643f50f42

SHA512
5878b4113fe6a41c0e4e66df091af57e8f1b192253bc235f41d9413a49836866acc25501ef6b9b7af685cb0d7937a1622a064cfeb4996c81e1e95dbb98088d48

Download Submit
memory/2180-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2180-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2656-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-44-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2912-12-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2912-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2988-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-17-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/2988-28-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads