General

  • Target

    b79ad730db8506a9851f8c9651478ba3_JaffaCakes118

  • Size

    100KB

  • Sample

    240822-pg9faazakr

  • MD5

    b79ad730db8506a9851f8c9651478ba3

  • SHA1

    afcf6ab64cf0d21034151b23aa64a58d171f4f74

  • SHA256

    262860a6622357b3355d07a44dc7266f470b13fff04d5e848426f888085cabc4

  • SHA512

    14f326beb9d7472be20f453e9077fd005f75c7e15eb71b7e16fef68b36b77cda138f33f34a176e4b5a6b4dab4185fe0ea21858b99445f9f1dfb3a995d7b23fdf

  • SSDEEP

    768:sXzlX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVp:sD02PX2uCUtT9DlkBRDPsBcs0WpgX6

Malware Config

Targets

    • Target

      b79ad730db8506a9851f8c9651478ba3_JaffaCakes118

    • Size

      100KB

    • MD5

      b79ad730db8506a9851f8c9651478ba3

    • SHA1

      afcf6ab64cf0d21034151b23aa64a58d171f4f74

    • SHA256

      262860a6622357b3355d07a44dc7266f470b13fff04d5e848426f888085cabc4

    • SHA512

      14f326beb9d7472be20f453e9077fd005f75c7e15eb71b7e16fef68b36b77cda138f33f34a176e4b5a6b4dab4185fe0ea21858b99445f9f1dfb3a995d7b23fdf

    • SSDEEP

      768:sXzlX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVp:sD02PX2uCUtT9DlkBRDPsBcs0WpgX6

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks