expiro | f5b382bc456b1d14a712467ace85ffb2ce80ad98523170ea976775b69914bcbd

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
Size

625KB
MD5

1db33c93b3dc0aefdf98d72881bbc259
SHA1

85b28dbed026216c851e89ac18f48d1e2caf897a
SHA256

f5b382bc456b1d14a712467ace85ffb2ce80ad98523170ea976775b69914bcbd
SHA512

056393197ac05950ac6a245bfe9acfc5b688a83956637221d116bab181b96c4a1959931b83d5f27da67e0a4649df17380a46c10074fca73a46a276e7bf092cd3
SSDEEP

12288:RVt+w8wyv//66WoJMH4xBLc8A5N2mYgxRFTLxT4NH:Ht+w5yvDJs8JrMHxT

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/4448-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4448-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4448-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4448-48-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4448-56-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
936	alg.exe
768	DiagnosticsHub.StandardCollector.Service.exe
3880	fxssvc.exe
3712	elevation_service.exe
1984	elevation_service.exe
3656	maintenanceservice.exe
1648	msdtc.exe
4508	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\M:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\Y:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\T:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\H:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\O:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\J:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\V:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\X:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\Z:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\K:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\N:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\Q:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\R:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\W:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened (read-only)	\??\U:	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\balngobc.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\gngqhoho.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\bplbbbld.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\diagsvcs\oaqmdfin.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\mmfanoif.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\ceiqcgql.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\wbem\lpjbkaom.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\cjoabkqi.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\eippofca.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\SysWOW64\gdkmboao.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\openssh\dcjjebhj.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\epginfod.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\SysWOW64\anckbonj.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\ibaihndo.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\ajnkgqli.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\system32\hfeookok.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\SysWOW64\hmbhocef.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\kqpkhgoo.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\windows\SysWOW64\hgilkgjl.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\jammjhnb.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\gdcekiol.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	\??\c:\program files\windows media player\ffakccga.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dkiifolj.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe
936	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4448	JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
Token: SeAuditPrivilege	3880	fxssvc.exe
Token: SeTakeOwnershipPrivilege	936	alg.exe
Token: SeSecurityPrivilege	4508	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1db33c93b3dc0aefdf98d72881bbc259.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
f4e70bf1769913aa0e8b118a149e6615

SHA1
159507d61bcdb86401189b06327436c65cc45bbc

SHA256
2b7eec3a9324c287b3ca8afa4f3b18c8b02096b4649d929aa7e4c56ed9dfa20b

SHA512
5e36170c05f12f3acbaf8b2507c56c73e7d508fe7fb79e168c0a39afcdab56ae4fa47c01600d196639e98a82e675e784dcb668c94af9f1d70f27991438a77d1a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
257cc9430fd00885c70686d551637675

SHA1
428eb0d277d8ad73a59bc839fe3f52a5a710c1b5

SHA256
c967a79c3cf48e4428c9fc33dfac628ee595fd21ce6b6928fb06bdbf1bbd358e

SHA512
396d1090378f661b9239c049b8d2b7252150299f2fba1d71fcf674490bd29665894f1f27947b339c1671588c50886709bb0a13d1cfaf9f1652f906e278199195

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
2911aeaae8098e98c8635f0ba3b4d0bb

SHA1
473bd99cfb29396d3efb73d9956379a5dd003a4a

SHA256
ee255b0740eef8954955344d6fa9c4bcac65486aa021ef8b459df21880336b95

SHA512
d74cf3019e3fec1f37379e000b5c942170c68ec490bde2aaccb1fb1e25b7bbc30bf8029f81aa310a98a114b8d37c41dcd2e6c6983bd4f94c7ef36aa0d2811ea8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
12d826aaeedc509b36a277dab49df1b4

SHA1
ed24adb7a135afa0116ec52d57971ef85d35b184

SHA256
402522e50145685c54f754faaa92174f714649a5d69c9e8680d30382af695556

SHA512
8cf8d03364f784acb18d5fec5a122013afc2d6511685d00c62422631f2df40b71a094fb4e50694ae367eea02b37edb01c5cfeb03cd147207af5a1ac30980c344

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
a80adf3c385d05cb10fe62800f2ce677

SHA1
40ca07473ac2e6a78416e13b34441b14ceb3a74a

SHA256
3dafbdbd6222eb4b9c8290bb74c6a54201540a8c2ac2a0d15e749c62ce2b0b54

SHA512
a7f040082c519a44bafe35075c24a22fd8414159a0aac70179683cce5a724061cb4a25aab271e0984cce27af821459aee798190b78f068b7fbbefbc6e3be8237

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
b8b4921132904c8d5df239c061b154ce

SHA1
6f4d571431ab7ad62c40b7fd090fb773c544a061

SHA256
bb0c9afd449833ca46de8c040024ca02c089964c2a9750cf09afc9dad2302bdc

SHA512
28148006d8f8cf3d98a36b9e5ae43da1ba360ef79e2159917ae99243edf263e221bf9ffe840016380da853f63c42df7c4171dd57375ce79d8bccb261de750df6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
0d4a7bad58d8b58901a45b73974debfa

SHA1
c43c6a924f3c2a9bad6942e38ebad511d72d0afb

SHA256
8d9b778b626c68811360d3470b0d70b31dde214395a88d15e1bac2b04a7aca2f

SHA512
f73e9e5914422deef2aadbc17132ab40238958993128f3e5ba57064a37743ee1f31a1f6a42e9a7ed26dd21807f555dffd33c472fe23be0dbb31fef12c40d5442

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
446513f396965b38dbc76cef293f8f14

SHA1
035498eccdeb7be182058073f5256f6eb9e23a7d

SHA256
9a6d173b570c62c356efa3580fa7a21a54511ca7840db6eda851f4f4597821a4

SHA512
dfc45737bd51f1371adb24415f4a6ed6dfe811f94b4c2f13c2e8227a40db50cea7ea398e36b393647ccc6791720d3d6be9db89590da592b490fa7e156d854f7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
2ea56f0ed4b239677513c9d0a2ff5fbe

SHA1
52993a237a4ba4d958e9f45cbbfbebfc9225d7a5

SHA256
b426ec884c79e327bf397c917b301d070cc5ee5caf712894847ae09da770decd

SHA512
31541e923b042be0d832c537d1c5908b2ced56053c6beea96e61dc0fc8d2f6d31e0455aa588a7e22e941e0290c6dd866fa5219b6ec0722928332c8c6417eceee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
0545a628a84c714fd9eb8c64654998d2

SHA1
62a97ae533ba9a549018ca2eb59d10d1644375e1

SHA256
13de625eea5eb35d971d5a16c8214bb8da29d31b7c9ad88d28d7b544b48e3612

SHA512
ded208eff6ce8719ffb8426f19692174f17f7afd2a524e37d95db6c8bdfa15009f46904c10e2b12a4a2dbadac1410dc4f582bc34f0a03f562466485ec58b720f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
8f25cb0f452d63fead30423af273f7b5

SHA1
37ad63dca00b5937be50f8f265967d92babe4a2e

SHA256
d19f333e307f2e9522f0fad93daa7d6c44a0851b1061012f827e599ad56680e6

SHA512
c5dd1b1b7059fd49330d240ad51be2c605e476e44cbfd96449a1a13d154a91ec3b40282deb15e3350e66f92967490b7edfc8a261cd2e6d9ae3b99ce5897e43d7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\logdmilj.tmp

Filesize
637KB

MD5
3a6ee9d270e5acf44a286d3a4fa2d216

SHA1
708eda7eaceec55db689718937412c25db2ac689

SHA256
34a883195d1184a39596f63ef9d5c6fd1a9883fd77b871ec761399f16ae206a8

SHA512
366f45181f34f0f26ed29dd2c52615783d569418039b8882e841b2781af70a88643178c95c0ce9f365f27e1bbb53ce28355ffc8db4983bf7b1bdfb670450d668

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
3b24457e415246bc0fa5d6bb469c4c56

SHA1
b7ed5ee733e4cd5d6b2bbf942e1b5bdee8ea37c0

SHA256
b8f1bfee1dadbe6fdd2503b2fae5b2212ade46e69b5c947b2d666379fe2670ee

SHA512
c05c80e6248233eccdab3cfa75a19070968d68742336cbced33c07319e8a5f4b75bbadb84f163bf600541091d6df2956d799ac42411ccb894cdd983b70113355

Download Submit
C:\Users\Admin\AppData\Local\nkjpljcq\iljmkbdl.tmp

Filesize
625KB

MD5
e93f4f8b718a1078f7d183c1dac1f986

SHA1
a405e93fc09fff4ec70002f2af43857650fdd51a

SHA256
c94ed5cb86505a48251596bfcaa40097b60ee5fb916e50b40434d7e47d5b31fc

SHA512
50829affdfba9346e25ba5db0610b081fd8019afa9990040f4dce1eede7bc8466ce63d656e96b05d2e3f3bdacffff7ba8a4070dd5cc1b59151c3ba59966184c3

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
42d0e8736a9b5bc246e47c5d24629247

SHA1
0152bb37c53f1a4fa3204c5bc3403f786c05e112

SHA256
1305231470b907ad1e958ca9e90fa1d38df4104b110e7fb12de595c69b210600

SHA512
e635c75a910ccdba157d15f8029fefc857fe615491eaf576490f7428581a8f75dba315ee3070011aab06039689e40c3f803e9d7c53c437c26008013798f711a4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
eff57cb595bba9932d7e9a912d9eea14

SHA1
34e0da9aa1b2d18adb0d886340a70663a84bcb25

SHA256
6db21391b8ebae5ade472b46e82e153c53375958c51f7c1c27cd0bde74040515

SHA512
1ad7b82b2da540f21ad678e11f5635c1c9be82edfc8e6415ef957f2c174e893807126cce2b91e394b634dfbc6d0444d83766c197a63961d579e27c2e510e51ed

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
d9c8dfa3e1e0367ed6c4b1694fba9401

SHA1
6e4d763dc6d8055fb00be1104ba6487027de5431

SHA256
5ab2260fb38e3800e821186d02a1c33d66c30c1ce49026436a297355b36fe979

SHA512
645ebbb100a25dc84dbd3b34073f560e09ef8ecf3f357808dc07a8427f7e768339e681e467ada45a033f2560e38ce07efe07ecddb8c8d0b75ab044421b626bd9

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
5f04c8edcdaa4ee8a69dffd0393399e7

SHA1
a207cd8e572f88cac896fd9705ab235395b7d5e8

SHA256
de713add9b097eb7849663e82259d3b0f65a01a43e94140a6a949017d3a465ea

SHA512
cd61d2588442a1d9e64ca6c6420dafbce7f0baf80cefca00e547858d7b7542c7b5f296c5fed1a2d4963783a587dc96f30cb6c5db21c6dc5f9348d3fd29fc5969

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
6dd1fe20c3535a4a2965381ed05f24ee

SHA1
95922630c3d0c863c9ea65319db9eaf302145bf9

SHA256
9ad01eef86777d6df232b93eae33cc84a2d8182805582a2ef86603953ba6bdc0

SHA512
13a1ab483e6b812ab3d89a6790df6d2fe55c02799f7d8c0c2e458a11c01fd1a59d320307f899026f601269b52031469695a3f3609460ac92eb914ff53a39e42c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
463KB

MD5
85b9cd584edafec4e149d4300120f29e

SHA1
9370b63aabfd782c6b0d4499b59b9af674ea6805

SHA256
6618f1599aaa260faefbbb021cb595d26770bc8fe8079aed3e94b3b1f57f1cc7

SHA512
7ae07f4d83da03bff1caade950e9dd84734cd054f29611660b9f77775f7546ae61c2e8f7d1258993ba92194228b52b4f246502ef6aabd6353912764f2b114c3e

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
70a5ab0e718a2ae12e2492b4552aa5d4

SHA1
0abd356752608a4ec2bd73dc296e5739b4acc91a

SHA256
e757a45150929795ff5f51b59897526c7889780ea6c2ecf01235400fdf5f3451

SHA512
9223d9e302f13cf1c9ed6d34966245dd7ef2292ff0c4bbb8087b4c305e390c530d78fcf5f0c5c354077cf9bbd9a675bf3a5c56c86d23fa150cbc1f28d6189dff

Download Submit
memory/768-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/768-85-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/936-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/936-63-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/936-64-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3880-49-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3880-47-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4448-48-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4448-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4448-56-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4448-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4448-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download