General

  • Target

    cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118

  • Size

    900KB

  • Sample

    240831-h8l1qssbma

  • MD5

    cc6962b007a8512fd286d0d50489e3f0

  • SHA1

    326665ca3524b4b1afbf2ecb5c3096ff19e7de55

  • SHA256

    deba095b9ba5ffd6ea866849da264d0197efbaf12acd27b900213354d0fa18ff

  • SHA512

    4173a8311a6feeac481ecc8551252122f0fd04e1a9a7fb549d735078e5bf84a6e8e311f905c0e30f3eaef1eaf1bbd50eb05de3b623922f0a9859c9b99be1fa4d

  • SSDEEP

    24576:ZotQUwXBNssktnYM441giJ22zPubfCMqtPQgqevcZGq2bl:OtQUgQPuOJtTtvcZVwl

Malware Config

Targets

    • Target

      cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118

    • Size

      900KB

    • MD5

      cc6962b007a8512fd286d0d50489e3f0

    • SHA1

      326665ca3524b4b1afbf2ecb5c3096ff19e7de55

    • SHA256

      deba095b9ba5ffd6ea866849da264d0197efbaf12acd27b900213354d0fa18ff

    • SHA512

      4173a8311a6feeac481ecc8551252122f0fd04e1a9a7fb549d735078e5bf84a6e8e311f905c0e30f3eaef1eaf1bbd50eb05de3b623922f0a9859c9b99be1fa4d

    • SSDEEP

      24576:ZotQUwXBNssktnYM441giJ22zPubfCMqtPQgqevcZGq2bl:OtQUgQPuOJtTtvcZVwl

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks