General
-
Target
e022e074c29608aa626bd4894a68680f_JaffaCakes118
-
Size
128KB
-
Sample
241211-gj8b1atrgq
-
MD5
e022e074c29608aa626bd4894a68680f
-
SHA1
2a02466b1fb3d289bbe7ed20ced8bfb94ba50f6c
-
SHA256
b48f9ff9f9638001e269ba19259a77500a17907f2dc7dcd86bcbe720b178d2f8
-
SHA512
a3e592c2294cba98e93180beacc9f7be20cfe55aa3438fa80683ca0df8cbef72cdc6bf8f98aa68843516f07ee24f6fa0abe7259bc51ee4421d7e809adfd156ab
-
SSDEEP
768:tE30u/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2Zv:a+PeXonnUStQXDI4spvVp+N8NECtH3
Malware Config
Targets
-
-
Target
e022e074c29608aa626bd4894a68680f_JaffaCakes118
-
Size
128KB
-
MD5
e022e074c29608aa626bd4894a68680f
-
SHA1
2a02466b1fb3d289bbe7ed20ced8bfb94ba50f6c
-
SHA256
b48f9ff9f9638001e269ba19259a77500a17907f2dc7dcd86bcbe720b178d2f8
-
SHA512
a3e592c2294cba98e93180beacc9f7be20cfe55aa3438fa80683ca0df8cbef72cdc6bf8f98aa68843516f07ee24f6fa0abe7259bc51ee4421d7e809adfd156ab
-
SSDEEP
768:tE30u/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2Zv:a+PeXonnUStQXDI4spvVp+N8NECtH3
Score10/10-
Expiro family
-
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
-
Expiro payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1