General

  • Target

    b94faf2a92736f7af9af5e060371d459_JaffaCakes118

  • Size

    68KB

  • Sample

    240822-1324wasgqq

  • MD5

    b94faf2a92736f7af9af5e060371d459

  • SHA1

    eaa5b9b303e5c86e180bd07975947632e2135b0d

  • SHA256

    bbe1211ef5eb2d8a303958bb85d4393ec7b35b9611c47dcbebd6f32f740c8d77

  • SHA512

    e252a1a6e0bc977db26afe914da88dd657f61b6f073a803a0e0cb20a6f8f62059d3362bd1ff50bec048c1da049e5363089231b115425045fe8ea8b5fdcb00faf

  • SSDEEP

    768:7XzlX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:7D02PX2uCUtT9DlkBRDPsBcs0WpgX6O

Malware Config

Targets

    • Target

      b94faf2a92736f7af9af5e060371d459_JaffaCakes118

    • Size

      68KB

    • MD5

      b94faf2a92736f7af9af5e060371d459

    • SHA1

      eaa5b9b303e5c86e180bd07975947632e2135b0d

    • SHA256

      bbe1211ef5eb2d8a303958bb85d4393ec7b35b9611c47dcbebd6f32f740c8d77

    • SHA512

      e252a1a6e0bc977db26afe914da88dd657f61b6f073a803a0e0cb20a6f8f62059d3362bd1ff50bec048c1da049e5363089231b115425045fe8ea8b5fdcb00faf

    • SSDEEP

      768:7XzlX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:7D02PX2uCUtT9DlkBRDPsBcs0WpgX6O

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks