expiro | df54c21ba0cf550eeec35e12389b04bd5ba0e0fc4d8b1f7b00e6462ad2078f25

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
Size

625KB
MD5

3e39fff75f17d22d6680c691ed6dc954
SHA1

9738179ee0793e408f0158348a4a5dccf42e0ed6
SHA256

df54c21ba0cf550eeec35e12389b04bd5ba0e0fc4d8b1f7b00e6462ad2078f25
SHA512

a0ef49f2b4c34f39efef21a69f021896ae2fc72b91af8682eaf31468e80b6e47d7807618617e420fd0ee3f8b55e68b2e8dcecc659a98ed259029e9d3f771ac9e
SSDEEP

12288:uVt+w8wyv//66WoJMH4xBLc8A5N2mVgxRFTLxT4NH:kt+w5yvDJs8JWMHxT

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1088-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1088-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1088-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1088-47-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1088-49-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
60	alg.exe
3908	DiagnosticsHub.StandardCollector.Service.exe
1376	fxssvc.exe
2672	elevation_service.exe
4392	elevation_service.exe
636	msdtc.exe
4596	msiexec.exe
3928	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2878641211-696417878-3864914810-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2878641211-696417878-3864914810-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\K:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\R:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\T:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\G:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\I:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\U:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\X:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\Z:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\L:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\P:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\S:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\Y:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\M:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\N:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\O:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\W:	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened (read-only)	\??\S:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File created	\??\c:\windows\system32\perceptionsimulation\mkpnegmk.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\SysWOW64\gkmgnojf.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\SysWOW64\enfnflhj.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File created	\??\c:\windows\system32\hnadfehe.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\kdoccfil.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\dgfdqocn.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\fdjpakad.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\SysWOW64\oejfgjda.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\openssh\bgalfhhk.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\phacmqab.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File created	\??\c:\windows\system32\mnccngki.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\meikdjhb.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\mqcqmccm.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	\??\c:\windows\system32\gdjhladn.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\wbem\gdihhnbd.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ijcdlpdf.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\system32\npcchghj.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\kdpiiqon.tmp	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ibkjjmkl.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\npocdncc.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\ihffbjnc.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\mgpaegjl.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	\??\c:\windows\servicing\claioceq.tmp	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe
60	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1088	JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
Token: SeAuditPrivilege	1376	fxssvc.exe
Token: SeTakeOwnershipPrivilege	60	alg.exe
Token: SeSecurityPrivilege	4596	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e39fff75f17d22d6680c691ed6dc954.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:60

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
28b8964f41cc41f267d3048b074f6622

SHA1
9a2d8a81db3c7fa39df16601ce01983863f356be

SHA256
cf2346f2272a4e5bc77d9492cb8d25093641708b6f3b0a1af95c24282656d64c

SHA512
04db04bf5d1820a67d82c3aa01fbf2ec72c61538ca27c776366057252ff37eb761ea7e219d6737d20d094014505d192577c36e940c50bc259d7f57eaca03c61e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\kdpiiqon.tmp

Filesize
621KB

MD5
385b3b70a9293c73902ff6f18118bf17

SHA1
0b5de2882b8609c01856f02d469377bd2154539c

SHA256
d234577262da3d287e0c3c5f1cf511aae7650ead440794f3cdb79d671510e61a

SHA512
7e2444dc22a94e5f6ec343a1e98b3e1fd001652655041bf5863cb84a5ad24d87797f06fd4c72550fb51aa012ab54d10a8fb1cafc74c5aeafac1c822b6ca01ea4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
e8dd40c09697a62787987d59d9f1904e

SHA1
cd0ea8eff7b1708d18420bf39073b378b12c193a

SHA256
9c88e1ade702e29e7a7a962f07f45690b63bcb6663248270e0bb00b8c0fb48c9

SHA512
2a99792df63ff1298b8aef492e3dd5f24b7e4e8628893ca41324594a0da9fd1f858eb3b316e7534303592a8e0be1bd5cc0e89dd987c4fa7899503175e4142b63

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
9886a638b1223b77acd908ebef6327b5

SHA1
60829a7541a2bf0b50083f6a691ec765e111bbe7

SHA256
2ca87389b246685070f16783a74f8399900674cc610786388fbfb559d295fb46

SHA512
62a67dfea9e2a7c14f302390b0f360f9b853dbf5676ff421e45123fafb752c697c19d8b37517257c948fb8dd2097c9331506e72bd15bd56d3dc751a969d174c3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
f0d1bc3c5ef85ede0f331e88355702a8

SHA1
f09046c9751cff51461811963fe694a4595e5a9b

SHA256
28bbdf86faab0a074e323cf8ef6acb21ec2158a5d893b7564c31f444b3c0d001

SHA512
a04086b8d93533e898407469b9923ea0cb1aa95c8baf113bebe5688fc45567a394d3d6e4f459efcc9424a50645788fec7bf65a227209ef2eb356f8ba57cc5eaf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
5a8a05d8f4bd8fece65ed0c14adc9a5b

SHA1
c32da7cfeb48d38d4fb5a4635a0590aa64dcd62a

SHA256
c6ad11d9927e0903d216301ad29529cb39933749fc55734b068c85e4a8b75ed9

SHA512
7906e4d7453a8fe2f8139cc4e1283ce425a0390dc17d8ab8b54f9fcbc09e86240b14880a40035890b0c9f8422bbb9b18173bb91c235c8fab3a53a5bf61c129d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
e5babbc9b3d207f3fff732100f4f10ce

SHA1
ebbc28790869151a23bad19c29e056d9881993e9

SHA256
600f3c3b57482107d4f4a67673a80865876cbfb8523768b495383f2743f5c0e6

SHA512
7a4295b7e8009dd72337c02c0c008b7f25e1b6936f5767ab4803573c0fd371e6033266e3f37f35802b6489f02fda9a2345a022cd13dcb66995ddfcf9469bdf27

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
8e7282f1499d6e93170d9580365103b3

SHA1
debe7b9898d6c0929e2bb593a8137a9b846a5f78

SHA256
23d3aca607d3b2d86e7ee70bd736cadbd311960729d6f5d74cdbdf954269d2db

SHA512
23a059b1587cb0c942d46be166a29be119f37238c56de92ea131c66c9e1fb790d50834c29850deceb587a4446931c0c18810473cc34c1110682fa9000e477063

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
dee3578b36aaff23fce0efdc585b162b

SHA1
28501ba3779980f3ac867915fdecf2f341f6e8ad

SHA256
be5dc44d3e15f8d0fc6addaf5d00b930818f420a4193464301122545695fc48c

SHA512
374934cc2d514b1923641817a6db8161e0e1616e45858ff73609bb8182098c9841a4f623b39d96a60d060a4277d647d688e9aa74e6f9a706525bf95becd385e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
03a39bcde09eabdae86d8965503da103

SHA1
7c5db237bf1884839cddc2678e869a6854fdf5ec

SHA256
9d0ee2e5aeff77fb6c513b3f9360ee1049b156fa29e02f5e97c0db5027364a04

SHA512
56d4caf908de063c204e0cc0df2edc57e61ffe7eb4acc1aeee3cc042b1d9c73f3f060edea85439e00f1523c6bb6450fa1ba1bd7200fd0c0886641c389c955cb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
7b10a09bc27c354a7d57717331bd3c82

SHA1
54d61d40b44ed56ebf1153abfb65fed93db7476f

SHA256
ff48235c62d053b3c10ae6d31b4f66400e1c8f5a4d760ba35525671283264e19

SHA512
8471a6316a2ec7eb6f81553b21c5156b803ef065fca436a6a94608034ac476e947e4103ad4ad7c7b9c1c535f57303bf7d09f52c60b90a235d0c6ea875519fcfb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
d1b1664328a0724c4891655af16f0fca

SHA1
ab52c361ebb28cd6db09286b6f7d6e5c0c00ffc6

SHA256
00dc750c3696a7ad8136134af974c301d894202a523e35852c0af76c8aa6c96e

SHA512
7853f7ce7c0f0986f1d9233ac6e5dd8b239e945537815f2335b5569db780e6771d854098ee7e071500e0bec303e92d5d25781265a990f4596e25aa4e150469b1

Download Submit
C:\Users\Admin\AppData\Local\qdlknbel\aplffnkh.tmp

Filesize
625KB

MD5
04ad20286ccdcd953fb6dc1ee457ea85

SHA1
900ea9dae4b446c61dd1454d608331a3591c3ec1

SHA256
ceaca766975a5146489689cba7c852976ba6f834a8604999d839ff25d196c0fc

SHA512
1b82ebbaa4f0e88185a6d48251a9a8a91fad7da7ac9bd0f5fc3799bafd9eb7a12c7eb4f35aa216ae29e21a6ec74a0566a6912993a020794a5a0a020161cf6868

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
ab258d33914a4153f51db662c64bf4fa

SHA1
f96d4fdbde2051d3444ad51ce0feccf29d5476a1

SHA256
87881e4eb3b6d44ffd60dd43bba2834995d138dac5863a25bdeb7fe85fa91760

SHA512
0f69a28f1ce04adc7a779a5e54bda0ac41a5cf7aa7bff951925e13cc4d73b10f8db70e49c33f4a941c82c0ba2974b1837f9ca630c9264d762584aae06eabd4e2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
f76143b1fb9b704fc09349681d9beed7

SHA1
4670870f12d3cd192b64898f99690be58c69bad0

SHA256
45839cd8962756f5982221a7106f98d7ae776c34d303efcaeffa5578a36d664a

SHA512
f41532c7168f0a0317479e0c51119092839423b646510af6b836df19b4e5f12ecc263fd8b28a2844419885e648f90dac96919f5e6f5da222ff9b2c76f1932ae7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
0671f8fe4cf1d817e70ac2ff5fa8cd63

SHA1
782f17c3bbef4dac24936ffcea00d32444713bb0

SHA256
46b546e9f238651a52f1b878c0f9a833c138a41e27b3519f9a13707ab9a596f3

SHA512
d1dccce7109f07eebdeaac3fb1652b9c81d35a94a1b6346981e5fcc66ec1e5a75ae489bccb07a1ede9a92ba52256655d5a7d6354f1922e23e63ebf86a99f8b47

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
effa8661b9f622f43b22357c470f11bd

SHA1
da05e9c1ec631ca47d9b3d275c15919550a11072

SHA256
d703950e81ab0102a3fe916ea092e371a8fb297dc412b65ed8d7fec2fc57f33f

SHA512
6c9572c8f8d1101a300f27c7ac123cd2cba5a09be9225a47345aa934a196d696adac0a81a809aea6cf72d875f169cba86646d6ea9f1cc957349d0d863585bf14

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
2e891f3b9e7149609c9018a2721f4158

SHA1
2582a16e8ac1f1cdf7b26f8acf747cd2ac1fbb99

SHA256
6a998e97e45150bc7d2a3c6bcc4496ca057a971336d89e685d1243ba3ab9760b

SHA512
0e1e6f92051fc1a33660a9aecd0485ec54679d24405cbb31ee96aeb2ba1705d3680aad439226b755bccca63e675eb952133df426cc203fb601753e9ada97cc34

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
f30d6742ecc1f8f5f371d7fc56bed3b3

SHA1
401fee85b15ac35a2787eba08dd17b85cbd72615

SHA256
8022858d3685961fe83361d94390fcc33adf395e240f7694812f3a45747d7f1d

SHA512
d54007fd7473d0980dae29abb6a833e876f41a14f4d60598dbeefe324b58a8e088d439fa9929b8319399c781ef5734ddec1036c3d420ee35845ec7c3c93e9d0b

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\program files\common files\microsoft shared\source engine\ose.exe

Filesize
637KB

MD5
fe3e062ccd6099c7e61afdcb863c4d24

SHA1
dae916d0f315b3c87bd36033c66fac1c0275fbce

SHA256
c694d5f08aba3e5ea0c2d4bff3666155d21a6a080e54a91738a0bca08f0c1488

SHA512
f7d54d129d2f6e0f54ae1f726f957d9bac71df98f2db8199191dedfe6be60599d201b9f48329c517cc036fc27bd7bbd9d7a219dcc4ce1acc8df46ea6a74fdf61

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
d5f357a6cb93af781657f604a5a71550

SHA1
132328e19e55a2f7ed2cc7e471adce5f9b59345e

SHA256
d927cd893bc34f690c864888f051be66fc11126c6705ad189fb364b280e7922d

SHA512
6eed1d60607c60a5be3d1db17fdfbb81e62525467a748de2bbaaa4b1b2182f120c3f319a02cd2a5f08bbecb25f544957f8e70c98437b5e8a227178cb72a5436c

Download Submit
memory/60-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/60-57-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/60-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/1088-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1088-47-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1088-49-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1088-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1088-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1376-48-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1376-50-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3908-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3908-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download