General

  • Target

    bc9ea758a974cf6d14c2f4b0741e73b1_JaffaCakes118

  • Size

    68KB

  • Sample

    240823-wkpnlsxhnb

  • MD5

    bc9ea758a974cf6d14c2f4b0741e73b1

  • SHA1

    5da2b100f03220ef6da2d31b233115846720a5ba

  • SHA256

    bf668f689bbef053f7220a8026cd32eaa490eaa9495a5e9e092d478c92f2f184

  • SHA512

    5c86c6fd0fdda6914426b382d5f572ad14d31f5379cdf312feb59c45aae819bf7c47e0c67ba079621c263cbbc2db7ec8da661ac3e6de7ca9e2d1791668b6fd00

  • SSDEEP

    768:uXzF6X7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:uDFX2PX2uCUtT9DlkBRDPsBcs0WpgX6O

Malware Config

Targets

    • Target

      bc9ea758a974cf6d14c2f4b0741e73b1_JaffaCakes118

    • Size

      68KB

    • MD5

      bc9ea758a974cf6d14c2f4b0741e73b1

    • SHA1

      5da2b100f03220ef6da2d31b233115846720a5ba

    • SHA256

      bf668f689bbef053f7220a8026cd32eaa490eaa9495a5e9e092d478c92f2f184

    • SHA512

      5c86c6fd0fdda6914426b382d5f572ad14d31f5379cdf312feb59c45aae819bf7c47e0c67ba079621c263cbbc2db7ec8da661ac3e6de7ca9e2d1791668b6fd00

    • SSDEEP

      768:uXzF6X7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:uDFX2PX2uCUtT9DlkBRDPsBcs0WpgX6O

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks