General

  • Target

    c7501c5118971f1ee4e86372b8963310_JaffaCakes118

  • Size

    60KB

  • Sample

    240828-v2cjyazcmr

  • MD5

    c7501c5118971f1ee4e86372b8963310

  • SHA1

    c7a5bf459c452e0d22ca14b7b3e5696f40fb4b48

  • SHA256

    a49043714c414f0680f9ee25dd807f73549ae2385a60604d9bc8b59fe19e4ce6

  • SHA512

    4b26a3ce4bc4b4e931c2f46a7100aaea3cb3514d043add6fb771c4ef625f65f2b5e03e1b6f3b121f308e0a29ea26197aed2be83414c0a1c07c14e771f87653c9

  • SSDEEP

    768:XE30N/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:gNPeXonnUStQXDI4spvVp+N8NECtH3T

Malware Config

Targets

    • Target

      c7501c5118971f1ee4e86372b8963310_JaffaCakes118

    • Size

      60KB

    • MD5

      c7501c5118971f1ee4e86372b8963310

    • SHA1

      c7a5bf459c452e0d22ca14b7b3e5696f40fb4b48

    • SHA256

      a49043714c414f0680f9ee25dd807f73549ae2385a60604d9bc8b59fe19e4ce6

    • SHA512

      4b26a3ce4bc4b4e931c2f46a7100aaea3cb3514d043add6fb771c4ef625f65f2b5e03e1b6f3b121f308e0a29ea26197aed2be83414c0a1c07c14e771f87653c9

    • SSDEEP

      768:XE30N/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:gNPeXonnUStQXDI4spvVp+N8NECtH3T

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks