expiro | 074c485967fa1a356f14c49ecb49fdfe19833b5401bd727daca572cd2d5b9794

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
Size

472KB
MD5

1b1071e58bf6a85eda6b0a27562de00d
SHA1

829c143f7fd6f7d80ca93ce7defee2944a2c0cc7
SHA256

074c485967fa1a356f14c49ecb49fdfe19833b5401bd727daca572cd2d5b9794
SHA512

88e94d8dee668503a6b856c0cf587eba22f602b2c590d42476db8a27088d078a307d7be7468d2ef4bd8043de5897c8cd303512aead2148832d5d9aef23073bc8
SSDEEP

12288:DCPzrOBcpsSeLm7inay076SWqM1QQOiy:qrOBjS4m/y076SW/eQO

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 7 IoCs

backdoor

resource	yara_rule
behavioral2/memory/4064-0-0x00000000005BA000-0x000000000064D000-memory.dmp	family_expiro1
behavioral2/memory/4064-1-0x0000000000540000-0x000000000064D000-memory.dmp	family_expiro1
behavioral2/memory/4064-2-0x0000000000540000-0x000000000064D000-memory.dmp	family_expiro1
behavioral2/memory/4064-3-0x00000000005BA000-0x000000000064D000-memory.dmp	family_expiro1
behavioral2/memory/4064-4-0x0000000000540000-0x000000000064D000-memory.dmp	family_expiro1
behavioral2/memory/4064-6-0x0000000000540000-0x000000000064D000-memory.dmp	family_expiro1
behavioral2/memory/4064-15-0x0000000000540000-0x000000000064D000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
4676	alg.exe
3508	DiagnosticsHub.StandardCollector.Service.exe
2792	fxssvc.exe
4148	elevation_service.exe
4940	elevation_service.exe
1864	maintenanceservice.exe
1588	msdtc.exe
1824	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\M:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\N:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\W:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\O:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\S:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\X:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Q:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\R:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\U:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\V:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\K:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\T:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\Z:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\L:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\P:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\Y:	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\P:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File created	\??\c:\windows\system32\oakpgnfj.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\dkqgdjnm.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\llbkgenc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\hiebgphp.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\jmaqdccp.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File created	\??\c:\windows\system32\wbem\abcpkbih.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\nkicagkg.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\dknmqjam.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\oqdbkagm.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\SysWOW64\fmmdedhc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\openssh\mggcpeqh.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\cfgjqfqo.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\ilcogkkg.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\denpihkc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\system32\mijlpmia.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\nllobopn.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\windows\SysWOW64\dppmpcjg.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\cgpgbgej.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\hgdmkldi.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe
4676	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4064	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
Token: SeAuditPrivilege	2792	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4676	alg.exe
Token: SeSecurityPrivilege	1824	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4064	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
4064	JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b1071e58bf6a85eda6b0a27562de00d.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3780

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
d88bbaa35401de288ba9b66da7154cb3

SHA1
037bc289f88b3d77412df65d95240d6f65c0e02c

SHA256
899df5120ad47b9f3be24b426131cb02ccaf87886e19534ef0586f763bcedfd9

SHA512
3481ccc4821191cc8fb19bd9c173bec46c999e0248998e82e0ba6c4aa3a647afd4b7c16d002c9a5573171766e0862645a869fa805059aebb7ae209337d25eda1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
9f460f926327ddeb132a9c2aeaf8f110

SHA1
f5fcbaae614b547b87b78d4de9edf1e65d5136ac

SHA256
5b6d57857ed183b94aa45c374ff30a41e93dbfed7e5d846124ef477c107c7e65

SHA512
3670764584bb612e6252d1dbb254752645392f17243f3a2c1c776384d80ecc34be6c5979ab23f689fb7b5298115ea961c24afebbda96fa068fca068848ebb46e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
e8734646d3b1d9b6c1727d7e4a155a2a

SHA1
c44d5511a4310606898f23af390055c3ddf10c61

SHA256
0e580f8af5295ceefc8d1d9ba35911821dce844e9583836fca3727e4a73fe7a5

SHA512
d9ece803d52d7d0f52228b18ad5e28d78e6a9dcd91b8a6d0f6b71ad6e36951d00ac9ac4f972e457f6663a979ef5b71120ddaa93a0d6168ec15f0497b2142e5ac

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
0baf9665a31452290129b1a1939aee14

SHA1
308f6954fbdc33f224edb5a4cd85fb73136d5f46

SHA256
5fbcd3b88dee0c4e0ba6a48600a8bde51bab27435898953f7413e195d0ce1088

SHA512
ff7731bf19971ed45159aef9e2db29940daddec8f930aa14649e47ee6a60fdff76a2eb0dbcbe62348338ceba6a049d228db4f3382a4d43d76e2dcaf58aa72fc7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
997e12711acf96f6a82cf996f1c1de0b

SHA1
aa6bf0561929f0e0b71f68adf35a087329cd7dfd

SHA256
f44c77f32ae9b43d74bd8134a06f50d9a84ed84517b2eed17018a7305aee36dd

SHA512
c37c3452fe6facec756638cde80517e7efdbdbc01c3976167e1b502b960e8f5856e597ef88ad47e62d8fec90e9313039dca46d8124eb46db5cde876db1b46071

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
ffb2c33f399806e40c2fde7cea88c284

SHA1
55560acca10f0eec254e56306d20babcdc4e7528

SHA256
a9ca29911eb888003b8c5170ba6518b8cc3e2f60acac9961c920f20a0f41e6a7

SHA512
1a2ff2a4307132d42334fee1bd35fe5eb90f768083f3fe2528a461fcdddc9bc2bbe3a416b215ba1f66890aa576615aaabf7213776391f4a92c98082da5a944ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
9f75bbc302b1fb9cf2d8b8f2ff23212f

SHA1
83cf34dd40071b5a72dd0de9ba7de03c6f0ed000

SHA256
2b5e9e7c09f05055618b3c3ae5e5f5c2376e38056d39b32b724e97f98a6147d1

SHA512
e39a8dad4606aa559a13d130d76da4ac8b6eb4d6243084a073520181e02fcb69c600ca81d8ce42b9f76c71c9648a657dc3c85eda2dfae8f7ed618878b39daa81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
9f3f54a26a23cb7222ec32271be20233

SHA1
16871a1f9a0c9090b22e5792c60355d4c153a1dd

SHA256
a4942c0342f1ff3878302a1f2603f9da11b57297fb76b7a090f104e2adf976f0

SHA512
3d0c326f8d2f3370d9e34d0c9b3e8672b093fff515a5bad02ffb13660d4754055001e54d6229bfd3b2b5419d8951a4ebb4b040faf84c127ccd573a7b273c64b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
f7d149373180091253325d331a0513bd

SHA1
7e13f618ebadc9fce70698dc0b6bbb3c1758d939

SHA256
06747069b837df1dbcd6766039d1a0cb8e8f254b8e74d1743ae5f5117a824691

SHA512
8218df731c09b11b3b292669110bcd6dfe7f9f6a859a64d7b95b3339c1ceccdb7fcd2aaa7381937d856fb6e63d27e52878bcd65e567884927c975bb8123d3c8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
1f8b8788acbcab2b2af68c12591947ff

SHA1
b874270f47062dd6a288ca4c06d5aeed9aa41f3d

SHA256
b02a997f032e7888e546fdd92701da1337e08d5301156a23e41cba7eb488cd7c

SHA512
a2c3dd29d675b0b8b64400ab1b836e38c0e1b85b7247d842e24d3c97b9970f051ed2e6097f9fb08aac15dddb551a35527dd295ae2f3601f27d7351a48a6be4f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
aa1681cc69ada77d0017c864d433a5a7

SHA1
3ce3c9eff1c7994642a2709ccdbaff2fd312eee6

SHA256
181bff8d1fbaaecf66a8364114627fc6d77e6a898e16aa58449b2a046c43c1c8

SHA512
06df997756ec158a74fb592422c8477db1246cb2d02194b2ad5cda5b72fc7939886820885de38e30acf49685a1a7ad8e4a157c54775b3be0a2c198c6ee983fc1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\gobildah.tmp

Filesize
637KB

MD5
8954611f345d03f9a6e9803f4d6bd5bb

SHA1
1fd7817c6e71c0932536eb6f9420275bf7cb26ae

SHA256
023c2cbca90864555c78f9d27825964bf8d139b42bc5c6964354f12fd61a7dbf

SHA512
6a0ab1da68811b357d99b4f581ebae1dfa7f53ee9a408c3eec0d825a7e64c4e5535c047186a95019037f47ae702631937834f4f986aacb1b2295deadc91a2b9f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
4deadefd20d16568f8d177526fff5d50

SHA1
09e58e650d7cecf8085842879d16c499a3681e98

SHA256
4e07db5a8509554c7e765dd681f7227af3cf578b2b7188198299a68ff8cbc965

SHA512
b4a229f743f4e2a6fb11297074d7b5b6d9b4aec733fb0662575025860b55a8dcd3b8b756156e242c59c8d47108c4c10b7da59b8d211280a103ba3dc456276a63

Download Submit
C:\Users\Admin\AppData\Local\lbbijlao\mfihhalg.tmp

Filesize
625KB

MD5
a7ee2eb8c4e25d9aec6527b036521ab2

SHA1
628bab4ed12386c4e502d7b83ccbeea2e344bc5a

SHA256
73938b875c1995c91ff8812aef9c5ebe6c048172ded8337a3fa93c7e6718008f

SHA512
b6075181a13bc3d640873bef3177d2eff05eb3920bb5f04b62a6ada81eab51cccb6f39915f08db6a2ede9eb947d4658ade53813795824955b4a297fa68874f76

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
0daaf7b8fea15938dff6299d4ccb70d1

SHA1
0dd2dea0bb0a884c63f27f411719518cfe23b8b1

SHA256
883dc785a9555da28f4d39f206a67b98f8968e4982fb31aa49ef4133deb55dac

SHA512
7e73af8e51ffe23aa5f8b3c468e5ed0abb19fbafd80f9be2d8a94f60a8ffcdd8fc81b4fa158adf6144a6caaea0956878b76459b63d26254a90b3776e260e0125

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
8199f78e8d67c57603cc08842c979169

SHA1
94cd8fc4c614f6d5686193661f1c814fac862687

SHA256
b6f4440180df6af5c9257f2cd90b88728ea3c09ae1c697a3e1609656108fa9a6

SHA512
47f02a9ba4174e76011327b0f0b1609628d2713699dabdc40e8d412dcc8ad0de59db26315f717874c49a7906d747b897db0e8704a5d952b37d9cc0e8a9f41753

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
64044e4c761867a154d5510911dc36b2

SHA1
6497952489b32dc6bd1c74d175f77b7a95302d94

SHA256
2eee1ce07fa2842c25b43b60d6738f06a670a2f014080dd184fdaafd7b95e6af

SHA512
3d8aa480f101e1e6088e5d6557dfded48baf7f1cf39b86d1d171acd52a98dd06853a49928d4bc7128f0f525c92b5983b088c883c775d32f137b2d3b146b4262e

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
093fab1fb6b08ae4faa7e66ab4abcb90

SHA1
dc551fdf05ec4940e17b799879b714c32b0fdb81

SHA256
f96b7aecd4bd762ec1af5222300664ede01620151fe78e3f484511355f153e81

SHA512
eb01b3b23bc45ce899facbbdd1c22755931d9a28e7f8f7074a438f7f28ffbe37f067e5cc104dde8a6bf2b844ec069757e3e58c4b9d9a18aef51606b1c07c853f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
182af7c476ce60d7b9f4f2bddab0b9c4

SHA1
d39c29ff936c945b8875aede42ce2467c6834dd7

SHA256
7cec81564d572ed80c5bfd913215bd7698bd6b5ee3913bfa45463aa407b7a77c

SHA512
218d1c388c518e0aa3c66a8404d7b2ccaf05d75f063de972dc075581797af63324e86ddc12223873a6db6841a14a4e7c5604b452769b4bb751683328a87b07f9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
f2b73c5da5a74e246f4d67b740bae142

SHA1
eccc2dc9ed2874c513478d3bfd652ce6185dbcec

SHA256
db2aed920954d4d2ebe53ffe7a22d8fb4aaaf02829249973dfb5706e24438d3b

SHA512
8dd8605573ed02a5f0750df1834eb581796b71bfe0e0754442a8c1999f32c02c642eff81f33b751d5dd8ddc4cb32ae678d52e8019d55dce0e333aedfef149ad9

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
8dfdc45db5cb1799ef8a31aaa1ebea25

SHA1
97e8174fef308e998ef1d171689abd9d32c1246a

SHA256
787f2c1a0b155e063fc9e8bbbcc2a96961cfe5440a613205bf2485c80a9e5127

SHA512
47363ea698676d352ee0efde20fea9c6802a3243a64fe8210cf3d271b11692ce4f65868f4438e6996142afbddc3774bfd1920d6bcf250de62f7a129c621a4fc7

Download Submit
memory/3508-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3508-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4064-0-0x00000000005BA000-0x000000000064D000-memory.dmp

Filesize
588KB

Download
memory/4064-15-0x0000000000540000-0x000000000064D000-memory.dmp

Filesize
1.1MB

Download
memory/4064-6-0x0000000000540000-0x000000000064D000-memory.dmp

Filesize
1.1MB

Download
memory/4064-4-0x0000000000540000-0x000000000064D000-memory.dmp

Filesize
1.1MB

Download
memory/4064-3-0x00000000005BA000-0x000000000064D000-memory.dmp

Filesize
588KB

Download
memory/4064-2-0x0000000000540000-0x000000000064D000-memory.dmp

Filesize
1.1MB

Download
memory/4064-1-0x0000000000540000-0x000000000064D000-memory.dmp

Filesize
1.1MB

Download
memory/4676-68-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4676-71-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4676-27-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download