General

  • Target

    d913513e5d05280e1bef97a048a84daf_JaffaCakes118

  • Size

    68KB

  • Sample

    240910-1hfedaxhmc

  • MD5

    d913513e5d05280e1bef97a048a84daf

  • SHA1

    c41ff7638635d3563a28a1aac07c258f14004b3e

  • SHA256

    a1f15d4415a26b3263112a698cde9f7bb561466994ffdea987bfda0461f59f6b

  • SHA512

    26a44c6e7784683045e16f476e828aff999ad9810fdaf1f5d4432ee714073cef6b7bbad660bb6dc334f0e531f9d4310a30b647879b0d31cdc82d038db610a9cc

  • SSDEEP

    768:sXzgX7m2PX2uC3P1UtyzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:sD52PX2uCUtb9DlkBRDPsBcs0WpgX6O

Malware Config

Targets

    • Target

      d913513e5d05280e1bef97a048a84daf_JaffaCakes118

    • Size

      68KB

    • MD5

      d913513e5d05280e1bef97a048a84daf

    • SHA1

      c41ff7638635d3563a28a1aac07c258f14004b3e

    • SHA256

      a1f15d4415a26b3263112a698cde9f7bb561466994ffdea987bfda0461f59f6b

    • SHA512

      26a44c6e7784683045e16f476e828aff999ad9810fdaf1f5d4432ee714073cef6b7bbad660bb6dc334f0e531f9d4310a30b647879b0d31cdc82d038db610a9cc

    • SSDEEP

      768:sXzgX7m2PX2uC3P1UtyzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVpo:sD52PX2uCUtb9DlkBRDPsBcs0WpgX6O

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks