expiro | 0636e2319a648568e7183e354d518dfd8033afe9fbe0f9d37cf45545a6790ff0

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
Size

625KB
MD5

25fc116d849d873fe7d094b20c61a0a3
SHA1

ba11b8661fcd9fd4b0a595d4991b8aaab25f0739
SHA256

0636e2319a648568e7183e354d518dfd8033afe9fbe0f9d37cf45545a6790ff0
SHA512

859d7739b13f0cace8b7d5cc231d3ad250149642cef3c9bb38765771572e62011d2624f4ab4df5ec7371f3a8104784bed966374ed78f57307a9fd8e4b58a59e1
SSDEEP

12288:dVt+w8wyv/m66WoJM9/Da1AtooMZlNKh6ZOmcQzpv9ymggRxcXtB:Lt+w5yWDJmbYAhG8cZOKzyQcv

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1648-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1648-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1648-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1648-48-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1648-56-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
5052	alg.exe
1720	DiagnosticsHub.StandardCollector.Service.exe
3652	fxssvc.exe
3752	elevation_service.exe
3320	elevation_service.exe
1524	maintenanceservice.exe
4316	msdtc.exe
872	msiexec.exe
3464	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2437139445-1151884604-3026847218-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2437139445-1151884604-3026847218-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\U:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\W:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\Z:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\X:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\H:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\M:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\Q:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\V:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\O:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\S:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\T:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\Y:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\K:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened (read-only)	\??\N:	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\ekhjdijh.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\ogglkokp.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\SysWOW64\bpofigkn.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File created	\??\c:\windows\system32\kngakjgg.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	\??\c:\windows\SysWOW64\fbihnakq.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\openssh\illngdhd.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\anffoimm.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\beelfjgb.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\SysWOW64\lbkilfko.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\kqobfmjl.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File created	\??\c:\windows\system32\perceptionsimulation\fokchalf.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\diagsvcs\cdalfdfa.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\mfpqhnbf.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\lcgcglik.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\dpliapjp.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\iempdmdp.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\system32\cekodjaj.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\ddcqdofe.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\cgcgebnc.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ocnfphoi.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\hpgmjknk.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	\??\c:\windows\servicing\necbimik.tmp	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe
5052	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1648	JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
Token: SeAuditPrivilege	3652	fxssvc.exe
Token: SeTakeOwnershipPrivilege	5052	alg.exe
Token: SeSecurityPrivilege	872	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fc116d849d873fe7d094b20c61a0a3.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5052

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3320

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
8f07a2ca692c156caebb3090fd130057

SHA1
39baa824dde44826128bab46bf8c3809f8980991

SHA256
429e83af384eae064fdab925a28c85802a507b4d09446995a0554a40a5654b28

SHA512
6dd190d86cc0ec7d68db5704e44b28bb463b936567b97cd422633bbfb7f5cd75b79f4dfd3d9d3bada5f29b75f1cbaaa35cec7f45c09ca65cefcfa321c686a280

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
03c0ca404865fba7dacc44189b130f40

SHA1
766c03b6b8837dad8da58f84f24f87fd4420761c

SHA256
fbe54387f3db8970478e9136d0d1046adfbabbce51eb840a10a38b4663b2d709

SHA512
000357bae85fb73d13258a911ee47a9cd56f9a05405b4efc03995d685172767fe409e64783b42f19bdf629c5e18f814b8d53308520e5513bc02a98abbf0efe0e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
c81bdd889cd3424ccca598a688bc97a8

SHA1
619c3cbc9d51f0af2b844c1d2b90c1f56253a318

SHA256
01a2c7b35235aa004ef8a97c41fb705bf58411eda258934a147d6c31bfc465ae

SHA512
fe332f860de3492f2dc5caeefe272769aa47c4e238586001e94142bc8ff02d5a13e3ec5b778fbb9dfcdfd093af4736d8931daea0b5572293836e327074a238b8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
46975edb45ac617ece91f4b1940947bf

SHA1
444e91bec681244cc201ed91481000962e580850

SHA256
960b0d13b492178a8a449f194080a0ca796198dc28541063c107b32cf4f78474

SHA512
a278444e3fd97e73690ddc996a7c27b5a3d267d49df43e3aebb8131346e6051841f8cf52f9c5695beebbb852390c3230ef7d078cf31673dab46e302c22a4ea40

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
8c36ededbaab3947fb9a02b3a945f956

SHA1
31df2dcb4bea1b1c7de67e120ea231a28997503e

SHA256
99a70bd1d32c3edafd89fdb8f330e935dfbd26dac8c7e334b7a93f0d3a7252bb

SHA512
cd95acd0688a8edf1cd7d608b39b3f10f92eef3d0459ed774e1a0413e253ab841c280f808a55398b53027043b9d65776c650fca52e79787672d39471502d166b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
4ff1e19d08067dbd3c35bf23ccebc1ff

SHA1
b3b91ea29b39a81c5e413bdd701118e35e56010e

SHA256
2b0453076b3b1e784f919b6c989e5d75a68b5b5f9043825fdaad2c70f6a5e151

SHA512
5e34a0d20f39a34e6f8d2ea732c4e75c1b5374018f73a012d4407d8665feb4b3f5fc08ead6c13e140e14092d0336f640a81193da384d6070994e99dd49ddf90f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
df8f58397534142e111b9df92e1c4bd8

SHA1
af74e90085160fafb64f2849c3bef6fd0f91684d

SHA256
de7c1c71baf71719368771ba28dd9cc56a82106da252b3a4764993b246ce82f0

SHA512
9ad919aa3a9a85727612c9b5c8ffbceedd227ee1d94bd6d01879be96522703af5e1af81acfa4abcdc2d4586f30a3ff6707d89598e26b65ec94f60194567b5e92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
86130acc12c82f4d4320a024c1d4bcb1

SHA1
f3165b212d991834fc2cef5c42e7ce6708cfd83e

SHA256
445f25de347acc5ca1385015dc6fc3a49c019b019ac35af35e306527bca798a7

SHA512
d50e0dcc13680fbb0a46a48f13cd31a89d14d172f0a46e29fb5361f704e16c0993cf359a3ae123e91a47a9e801cae2ac2a8527df7bcc9d7ba002950f4dfb4571

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
6bd0d6f7c9a69fb4bdd8991e6e816cad

SHA1
a2093ece5764298605e269cb805a44654b3b8345

SHA256
81ad6a1dccd5c866884bac76930931f1fb01cefadaf66111f44ed699044712e6

SHA512
1394a7214354524d3332806becd46aa43ac80462fe20a8e049d15a0dd0f3ff366e293d1a2965cf3c447d76d8a64db740b7a2254f2249139eaf717787dee61aff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
c3367a95523e8096ef70b8b8c02cfd4d

SHA1
bf1f3c9aa90522e27b3ecc79f26555efac9672f4

SHA256
abd9709ed248513db396fb84ec2dbb6d96b539e7d86c9c55d0c31650e157168a

SHA512
30ca51d4d9f775f5da5f5fa9f0ebecd08a7c0ed9cd8d7c978ae6a042a5077a30e5f7d27ce59542cebcf57319064f7e3704ff5fbb4d30c5c9cd2ce63de998a936

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
b9b65f23951694a0fce9b3f4097ebadd

SHA1
b9ddff5cec7ccb6c36e8fb3d55cd4784eed1b19e

SHA256
03182659f116dc700e3f16f14653186f3f64875d2c089d167fb5d3fec3f22eb9

SHA512
c23a9615be629d72557947efebca0cfa091a1786de92138691bbb6e2d4fe2dd48e15c3023e53fe417fd2ddf3a0383b699cd9df7d09e5a26293c4cc902d7a5077

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\cgcgebnc.tmp

Filesize
637KB

MD5
a656886bb419e6d760c99e26a80564e0

SHA1
a3fb5767d47a4d66a872660e2ccef51c6d65216c

SHA256
deacdcb3f2bac5ca95fc59ecfc8588147d4621a7aca482a3a1649ef3d1e35ebe

SHA512
3ef158925fd1b7e2066862f9a1bd88ba17cc10ed51fbb859bcabae71f66c4f2d7e3b2ac6bbbde7628697b347be1f90366ed4749b4a208b5266dbc067645bee85

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
e0c32d8b209c536e1eeb961c18c04551

SHA1
918b2beab5752b72d2d17aa95667e3be71d727c0

SHA256
8338a6e5430afcd98bd043b6aa1c5d205eb95a6c32957fee235c8688e61f60af

SHA512
f45761171e468b4c6cba1aefa693b2a1d1997f74f657aeeb4dc110f0e6d036252956d2cdd5108c138ea430a4d6088e6997dd3ac008aaae755bd6b57455869d79

Download Submit
C:\Users\Admin\AppData\Local\kfbiaimd\hiifnqem.tmp

Filesize
625KB

MD5
13ea0d60fade719a5db41fe61ebdc3a9

SHA1
338514d81084aacce0a68be940390ff13a8eeff0

SHA256
903a375adaeec7e5e6af809ab55f0dfcf0e4b9b175cb378a67a86f2407a0f05d

SHA512
792d60301ca9510c6893fc6d041136f58bff479e4aa599527f97300c8ef807f0ac88c7184ffde7507a3546e5cda50d7827336c8072296ff2acd60e72f4af99b3

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
ed8af55f00d7e02026f217f43ce4d30f

SHA1
73f53dc9b3ca88c6be4aa5258bca6c644e0795cf

SHA256
e61113d70e41a39ebd52473b09dd080919874ffd87ca682fa96dbb27b05a5d5e

SHA512
cbcb31d622d1563a246e585b5d29eb52c4e709263ac333c6149e715bbcbb95bac3f11fa4d98d5f1781e8ac69e5434615020d33f04861d4618aa25a7143c00012

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
3e029458545634c8699ce23a99d827ef

SHA1
6a85c1056f78857da911ce6228d5d4136b17b942

SHA256
f1a2dbe864328f2f4f9c70b8afdaf0d8e00526b613f6e5f02546734d6e05dc47

SHA512
f5d09eeb57365976d567ec02baefa4dc97588ba6bf639a9736399fc254fa8055994bf1bbae81ca78e8e8cee7abb03a304293eea4c1138bffa5252a197e7b6b24

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
cb58b10845456895644bd294a285143b

SHA1
1966d0a9d98f08eae42cd06bda9726b38c55be03

SHA256
47d49c56dc242d2be73f84c9cac9fd5ab29ca575d3752d8e6ab8b5cf29c16327

SHA512
ac624ef26a83f2e1b4f1793353accbb75879b9a5d1d53e95b575ceebdb9d5010cb7908be01d6a7004c1d8e75295151ca667693ba66721b2ef39be455fef12632

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
4c6db53ea2667ec924e71f5e704997b4

SHA1
735ae37074ae2c6b0cd77110a778822fc0a42eb3

SHA256
e4afa833c96b2062abfa407b24fb124265bed52cf3f3b61f432bc8d95cc3523d

SHA512
aa328a50b4272861f43fcdbd954c2810e6f5a4bdb20d7e962854a046b26f8e72da7a6ac15cccea9e3e7ad2cd36b8c1442490d2491c23f99320439cab0be83f65

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
ed68cd556bc83e6e0d2450be65ac4dc8

SHA1
c2aeb482a4bc7a6344816d6d565813eedb75b676

SHA256
b75028bba10aac9aed45cabc682bcfe94fa2a038fee64330bbdcc415427f6226

SHA512
1f7468edbb549d5e4703c94134c89d1edb4db75b9cbea1b8a0f61c508dc3923de31ae5bc800ff8701185f26d455fcaa742971168102f2c6ba36cd991db94bcb3

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
463KB

MD5
22fdbe0dc16a1f352418574d3fe832d1

SHA1
5fe725dae5f683d402e2b554b06c54caf285f200

SHA256
b0b9eecea45f05e9ba6e8a1cf9106874e82cf108114c38a3175e199e78c58a93

SHA512
adc76dfb92397b115da3a3ff70753b4b4b5bbbacde47d7f7dc53b8110300e6a0543f35630e1f1ba04efab090ff88e8439bd6bf8ef58578ec4b263a7f9bcbc8c5

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
1d1a3839f15ed1592e5cd4ec9a94886e

SHA1
c42c5c3d951e2d11b950f1080c8ef89d89e14ee0

SHA256
100ee04d2156763c5ef90aba6360c1bddca8e68196a4d9f3f136735228b813e8

SHA512
ab86773aae28100357df86a3ec2da0cc9ab0a5609040a1cb309431f0b97af70af446b606fa4a75aa8e66abaa9032f574851c051710b7191b3296ef4eb74e2d97

Download Submit
memory/1648-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1648-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1648-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1648-56-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1648-48-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1720-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1720-86-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3652-47-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3652-49-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5052-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/5052-63-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/5052-64-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download