Overview

overview

10

Static

static

3

13531879c9...18.exe

windows7-x64

10

13531879c9...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    13531879c9d7fd96b66c4dc6aaef946f_JaffaCakes118

  • Size

    184KB

  • Sample

    241004-pe287atbql

  • MD5

    13531879c9d7fd96b66c4dc6aaef946f

  • SHA1

    0ae9fd693808a42caf6f246fb2f57bcd4d44746a

  • SHA256

    d4c492cb069488d266ce73424cbe477c656818ef3eacd5bf8c21a7d302c5acd7

  • SHA512

    91596fa57ca2945ec1caedccc07e3a5ba774898efa333ac33cd032a2773cb6c50abd42f9a0648bc7684956ab5ea2dada81329ea201b1fb895ae4e3c537bc732f

  • SSDEEP

    768:8kWXT7zWf69DQcvi1LcO8UoPIj4X9gqm+3lRf03NDKgj6+58nIWFgc:pzf69DQH1CUowj4X9tm+3le3dl59gz

Score
10/10
expirobackdoordiscoverypersistence

Malware Config

Targets

    • Target

      13531879c9d7fd96b66c4dc6aaef946f_JaffaCakes118

    • Size

      184KB

    • MD5

      13531879c9d7fd96b66c4dc6aaef946f

    • SHA1

      0ae9fd693808a42caf6f246fb2f57bcd4d44746a

    • SHA256

      d4c492cb069488d266ce73424cbe477c656818ef3eacd5bf8c21a7d302c5acd7

    • SHA512

      91596fa57ca2945ec1caedccc07e3a5ba774898efa333ac33cd032a2773cb6c50abd42f9a0648bc7684956ab5ea2dada81329ea201b1fb895ae4e3c537bc732f

    • SSDEEP

      768:8kWXT7zWf69DQcvi1LcO8UoPIj4X9gqm+3lRf03NDKgj6+58nIWFgc:pzf69DQH1CUowj4X9tm+3le3dl59gz

    Score
    10/10
    expirobackdoordiscoverypersistence

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

      backdoorexpiro

    • Expiro payload

      backdoor

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks