expiro | 52c44545129a7efe21cc8a3b71a4166af528a5b5142425617dcc907f62471478

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
Size

645KB
MD5

09d607bb679423c3a1636d922b0470a8
SHA1

29895b10fbb22ea67adc7c05f9bde69dc79d8f68
SHA256

52c44545129a7efe21cc8a3b71a4166af528a5b5142425617dcc907f62471478
SHA512

90413037654dec1ecdd469cdc8a863ae82ac586a30f9e683aa1b9e3f8a54bc494fb99860f4fd4af4e5bc1da6974501af5a3c91e063fb762528f2f559a23ce0b6
SSDEEP

12288:rYG8GLVeUF+bZnoD2kUQf3zyJQ/aEy+W27jIhyeNnCZ:0G8GLwA+bZWXUQfDyqCINghygnCZ

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/5060-2-0x0000000000400000-0x00000000005CF000-memory.dmp	family_expiro1

Executes dropped EXE 6 IoCs

pid	Process
2416	elevation_service.exe
2988	elevation_service.exe
2492	maintenanceservice.exe
3700	OSE.EXE
2480	ssh-agent.exe
4828	TrustedInstaller.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\L:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\N:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\P:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\S:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\U:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\V:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\E:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\H:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\I:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\M:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\Q:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\O:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\T:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\Y:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\Z:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\G:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\K:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\R:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\W:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened (read-only)	\??\X:	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\Appvclient.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\Agentservice.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Internet Explorer\ielowutil.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\7-Zip\7zG.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\7-Zip\7zFM.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.vir	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5060	JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.0MB

MD5
6676bcc135a48f1a59fb6dbaae84a050

SHA1
d47e70b67f061971ddaf5dfd96bcb0f6af3ecdd8

SHA256
fafc2b802625e5b36549bec8951834cf200e594408ae5f4a1871b5ac9d69bb9d

SHA512
5a79cbd051a84d8aae9070e055c709ec8d6f46a87e128667758cb93a8196a883b788c8e66254179caa92c88dd4059408e2d87283c59286bd82a598190289b079

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
723KB

MD5
4f4c48ce6146bf2f85f2a73e47c5192c

SHA1
dca3c52694705cae43c1d977a5070327280ac319

SHA256
25fc2c0693eb63f68d1589c5e439c39e18764d921f7cba8ad18fbe3e413b769c

SHA512
b6cbb23f2ae51f437dc30ccf42917a07ecf817bdf94b4a08a07241d4a9c9b08179e6ce24f1d80d5291ddc1d8059c4b323afacd97602513830f9c850ce8e99c04

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
740KB

MD5
3735b88805771b0ff33a9e24a46d73ee

SHA1
ce37d26c832636a8316e7130d263e20ee12a39b1

SHA256
065f1443bbf8bb16e499850e84a5b05d21dea2038cbbe39d47f29eaede9c45eb

SHA512
58d872286c1269870bd848d811d2847e1731e5dbbb892b36e90ec543724456d9cb57b5be75e6950ff058b987ca1a47d4d0e5a21c31d50eb352336ec1679dc2ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir

Filesize
4.5MB

MD5
86f15f6c1f23c279398e317d81c31707

SHA1
f977d5ac382d6f058f8834bcc8aa5496cbf05154

SHA256
581ec61cff47374b803ad8efe0b9376656c64af8b4779f66e5f0fb171fb7d157

SHA512
21a7012273a9f34acd1be4f4a91f1478bd577feddc1197f30479c4300fd95b8688da7a6d916ff845ef4a214b731b61669c461bfee4a095549cc1d8da59918218

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2f8c1ce7dfb9c9d8978eb884e5e87fe2

SHA1
83dd9e8f51d76c3a2d7425831c0ff85ece499063

SHA256
7cb4ed8798e5e9d6f8aa0ec0e4864d2652c7a75170f4b9099861dce23833a837

SHA512
4071c58953c2d70c5f3cd8c6ba981caa910738b743fc4bf572ea0655f3b5b29fb36f84efbf49d8fa4c85c88839a66a3e69a9f3f3b00c57c124bd8fee7419158a

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
1868d232314f61a86b90de56a61a4ce7

SHA1
2237f46e6a4276f9cd3df150b485c9caff8a64a3

SHA256
b77b8817c8e3305c5215f85a7aba9052a0a65ca0e33a1c9d7a6586a905ce1848

SHA512
4a96007ca668129a7330fe77a92abf6ad23c945617109fbedf2dba34bddc6f8e873a537c334b57efaa4f88792a9e51df56e2a52cb270bc88e7bd978a636b86c3

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
923KB

MD5
f504222c4136a89aa551bbc67701cdda

SHA1
eca8de1a482af1b7d7263c26f5bc740c0b166603

SHA256
aca8fcf73490e8af2bc6d03540fe0e3625e3455f19fa7edd785fcc513b7d561f

SHA512
0971e53132fcdd69d54747732b068d816676729744ee42f057002257ee136615239c5e97f186497e2ec4beb9efb0e4d04a778449ce18caa6b1c1e775442851e7

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.2MB

MD5
90503e9c1b44f2e1691409d9cc464dea

SHA1
3c0460a0e02ab733dcfe2f368f494599b72fc7de

SHA256
04bae3e4742942e3f73145d849ab1cd03e70fca9770dbffb6cf2d2bc7db64ebc

SHA512
a87707d668e62be5ca7c0688e421a7663041c713a81b8356a234ccfa4bc885a1648f52cf4b14a46c967a491aa6121aac7d500939ca62f8613374c60e00ac3dfa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
874KB

MD5
1722922ded587a1a3edce235b5146b44

SHA1
66f29421381b4cd3fb1ff3d02a6552282bbd382d

SHA256
d52eb99d038ccefff7ea71dae2b0171ca18da15f3dce33d391b2276db5fda714

SHA512
8552d29d501996b975a747e46e9066b23c33c417b82d8473613c8a0f27c6d9866907445f94b24110c03ce8baacfc9b0656fd6d36b060fd2984840e4ad0d48cdd

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
memory/2416-118-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/2416-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

Filesize
4KB

Download
memory/2416-141-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/2416-20-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/2480-75-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2480-154-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2480-76-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2480-153-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2492-61-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2492-37-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2492-36-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2988-29-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/2988-28-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/2988-119-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/2988-120-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/2988-139-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/2988-140-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/3700-62-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3700-133-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3700-147-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3700-121-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3700-60-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5060-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/5060-2-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/5060-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download