General

  • Target

    c5374fdff5d6376b9f0b231fa90156b7_JaffaCakes118

  • Size

    184KB

  • Sample

    240827-scqddswemc

  • MD5

    c5374fdff5d6376b9f0b231fa90156b7

  • SHA1

    cc455793cc131593ff28a3130289ec1eb5908578

  • SHA256

    52ef941ca150d3eb079fdb753972a9e3838ca6e4807a41c29d86bb176aa65646

  • SHA512

    01925d84918d12bd591d033654bcc15de3c717b8ed26369bb976032c4eefb7d3fa3a549b7785de2ae3a0ba7afb7321e2f8e1c43b8f71901322f664c2c5bd21f7

  • SSDEEP

    3072:ic1lmfSz9tr2TFtjRH0bMubdQ3DDr7Q+QuNV0llIs4tHbE:icvkTztWMMmoZuN3s4tH

Malware Config

Targets

    • Target

      c5374fdff5d6376b9f0b231fa90156b7_JaffaCakes118

    • Size

      184KB

    • MD5

      c5374fdff5d6376b9f0b231fa90156b7

    • SHA1

      cc455793cc131593ff28a3130289ec1eb5908578

    • SHA256

      52ef941ca150d3eb079fdb753972a9e3838ca6e4807a41c29d86bb176aa65646

    • SHA512

      01925d84918d12bd591d033654bcc15de3c717b8ed26369bb976032c4eefb7d3fa3a549b7785de2ae3a0ba7afb7321e2f8e1c43b8f71901322f664c2c5bd21f7

    • SSDEEP

      3072:ic1lmfSz9tr2TFtjRH0bMubdQ3DDr7Q+QuNV0llIs4tHbE:icvkTztWMMmoZuN3s4tH

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks