General

  • Target

    d5e7dd2fdc10eef78d76c41e985bf97c_JaffaCakes118

  • Size

    68KB

  • Sample

    240909-jrm25syakl

  • MD5

    d5e7dd2fdc10eef78d76c41e985bf97c

  • SHA1

    7f8543b54a35c65d28a2f0525239f03b3806f092

  • SHA256

    4aa852574ad707c3bd6bcddda14e7e3ee493eaeaeb50b3732398214464f7e4b1

  • SHA512

    4d4f8e191e98f30b5258d91fd0f5b98fc56daea846811a8e445bfa5e9d98a26363a9d89f28e9a0a5d6defa1715964510bde63827125d8dae50ff06fd465119c9

  • SSDEEP

    768:KXzCcEX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:KDCK2PX2uCUtT9DlkBRDPsBcs0WpgX6O

Malware Config

Targets

    • Target

      d5e7dd2fdc10eef78d76c41e985bf97c_JaffaCakes118

    • Size

      68KB

    • MD5

      d5e7dd2fdc10eef78d76c41e985bf97c

    • SHA1

      7f8543b54a35c65d28a2f0525239f03b3806f092

    • SHA256

      4aa852574ad707c3bd6bcddda14e7e3ee493eaeaeb50b3732398214464f7e4b1

    • SHA512

      4d4f8e191e98f30b5258d91fd0f5b98fc56daea846811a8e445bfa5e9d98a26363a9d89f28e9a0a5d6defa1715964510bde63827125d8dae50ff06fd465119c9

    • SSDEEP

      768:KXzCcEX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:KDCK2PX2uCUtT9DlkBRDPsBcs0WpgX6O

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks