expiro | b026b10c79c8cc3ddd0cfbca316c091df9829e417666d46596d30b73773c3686

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
Size

625KB
MD5

298ff7e2b96f9c5d518d501a553e8679
SHA1

565046d5f237826687bd9c43877cd8a788bed2ee
SHA256

b026b10c79c8cc3ddd0cfbca316c091df9829e417666d46596d30b73773c3686
SHA512

6d6156dbe52788fc0fca2886db67a6ae40808db147e3ecf814bb98f26c3cbdab2c6b497aef556eefc343d6856e73add8677023b270ec0ab62de727c610b2caed
SSDEEP

12288:1Vt+w8wyv/N66WoJMFVX6mAa2ogAQg0prnAbiKusJ2:jt+w5y9DJUR6mAajgAQvpr0fJ

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1056-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1056-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1056-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1056-48-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1056-56-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
3836	alg.exe
712	DiagnosticsHub.StandardCollector.Service.exe
4580	fxssvc.exe
1364	elevation_service.exe
4848	elevation_service.exe
452	maintenanceservice.exe
3520	msdtc.exe
4292	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2045521122-590294423-3465680274-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2045521122-590294423-3465680274-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\O:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\Q:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\W:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\K:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\H:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\I:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\N:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\X:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\S:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\V:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\P:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\T:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\L:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\Z:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\U:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\Y:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\R:	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\agmkibpd.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\system32\nnioimdp.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\filmnbpf.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ipgkdolj.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\mggidkhm.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\perceptionsimulation\lnkejgpq.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\openssh\cgagjbnd.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\ocegknkp.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\mpgeiicj.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\diagsvcs\kdicoepn.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\system32\wbem\ikfdcooo.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\windows\SysWOW64\hikkmipi.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\lifinfmp.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\jfecangk.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\abpigjbp.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\kjdghkfm.tmp	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\EnableCopy.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	\??\c:\program files\windows media player\odiekaek.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe
3836	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1056	JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
Token: SeAuditPrivilege	4580	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3836	alg.exe
Token: SeSecurityPrivilege	4292	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3836

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
7bdcc3c54995c0c77343400368325faf

SHA1
13552c87b25574ee405ce8c168dd08eedd063e3b

SHA256
347bf64b7f5a483e7583f0ea50f59da06f4a4173183f29667c837891f98ca318

SHA512
911194db9c659768178351e6fcdfb2b75f61fcab94e70ef287c0dd20bdafd75e591c8fb8c8a4b9ba5efd578fdb2f09c7477c896788f207df15ea0291c8cddb1f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
6d4ea73f62568d1b4be855031924a478

SHA1
b36eb0ad7af108d3d1f92bb944f5531585ef4e16

SHA256
ef695eeaa5fd9586a51c562e7a0f56896604d283699cf7fb07249108194d2920

SHA512
7554ba43122d93c73ff127a5dd840a09a0ae54e0a7ef4fedbdc7d9a31906830d4a560fcb697b55a1a6c2adc37f3682d67f524e786f75de6a9302f43777356e5d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
2176a2192e2f7f17f8aeaa7eaea9bbbd

SHA1
09af8f0a0659dfe067189e21b63059919c5fccbb

SHA256
cddb623d0d803599743fbf506ef889fce12b3fc1fe42eeb59e28b43e0db68d28

SHA512
6ad6aa5c773fe6adc952bd4d4beb3d9f9508fec7daef4c4cb4d225b5d885cfd14bfd8f9769a632fcd5dbced6c8298fda7200a57cde329b13e5738b0051fa3dd4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
7f0f3e48aae15a885dc2050282d0fa33

SHA1
e1fa046d2b14328a2eec1fa162cd5c16099402c2

SHA256
46a8f0ce94551904098e058a9810fd3a8ec350192e1eb42063b9a39e6934928b

SHA512
353cd5142cdbe55509ae382a0225494bba300cf863d3af7dd59217280d47f4508cf120c48b33cf222e840c2150d682c874c8aa38f350491f0974a07a964b3b7d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
394a4600abe630c8fb6892b705c62339

SHA1
8b9aa144afc3aad99f9cc4ed750d35c41a54721d

SHA256
b736e6f6b9f110552bcdb57c0006153733609c316642e8488692df929cdda123

SHA512
ec5577fd853680829d3f34fc16d5c5ff8efc9597e3d87c5fb25a023a487cc4755162269a6b321f43b57621187e676122d13f7ed1acbbd49dff3567f3b5f80998

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
faa1f637dc2b17f54235b5d8fa5d847e

SHA1
9a153411afab38d6e660cfcd0baf11b6e769beca

SHA256
b857529253e5b97b4c31c3fd4baf425a9050b459d3557de7113572d1f4a52280

SHA512
72901dbf771b1de715881443632cc4d6317ab251e8f70bfc9b09ed1c484e55f52a0a7ebba344b83b296c0fd710913c24aeb65066e3f9338fc0d3ab90b983e3dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
e128682303777c6310721e45073ccefa

SHA1
b3de4b4493881a96574f0270a7e9ef0a8afcecd3

SHA256
d6fd986567e70c46d89e69cb69e9e862796dcc89992cfcde61286a1b8306fc46

SHA512
f17989b278f0d337e3c07507581016d8d36f7496ec7d3d0bb0d2bf344ae1aca27e45228479d360b5dfb7fb6cabffb79e1d140d7a42f0a08a87689749ca9da6bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
c2e6db0d8ad7b9d04340ce8f272be9e5

SHA1
e66f8402e68de1fbe876b92497bbc8fce269ac8d

SHA256
229c0d46d4baffcc1b3dbfef2a223f944fdaa643cdc88b8f3189623a52d3229a

SHA512
bec0ca708b90fb28bdc1190f7786c40fd6f1e3370fb2d41b085dcc67caf8dc29201a79adc1137f2925cf0f77b7a21bba161fe07ef0abfcaf6d8bdf91e5222c72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
a72531250b724702cf5e0fe1f4e41946

SHA1
0b6af47425dfca54982df1f9fece137766584bfc

SHA256
3dc1d67cafb9632e5b17d294ebdf5063d9b794302143d5af60d989188884b55b

SHA512
f9c16d6cf8aca5d3889aa588b635de6d9405edfcc572bc097b93abffbe1e385127da368f2be1e18fd8b64e8302146653aed19183fa73785039ae118327fea84b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
79dab9cf2af7ce0b191deddb33b3f394

SHA1
46226a63fc3d28796ebc61689b45fb8c6ccb6ea3

SHA256
8ea3b206dc0c6fe95f7a15c84f68d8dd3a729a904522666ecaa7bc089056a3a7

SHA512
45d676287c50d04e317c1cb0f263b4a30fd17c97b29c8b3d548a5566beffa1a1f6ef42d00c57467f33e777012ceb55f228d12ad503ff68614df5100107d10663

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
8ec5d9f01dca7c7d5919cb4454e93269

SHA1
8f5c37b5762ecd8c7173d0ee3df4022eccc3bf27

SHA256
0571fdff8be1f2303fa536d80ba2ea3d65f667c74f5bbc2a25f7825f58b3559f

SHA512
7fc6f76a0b45c52c48cf4cce1c76a612c0119e09a40d1f871c3fc453549e0c45284bef6761ababa88c68691456d3abc79690a6057bd95926047cae616777dd45

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\kjdghkfm.tmp

Filesize
637KB

MD5
8299b66af3016d3e8ce4464671f28a35

SHA1
c519fd0103f185583f1500e994575fc04526d518

SHA256
bc4fef899105094bb0b26347fddefc4f99f3137c156bac2f9251f5a166e2e3c8

SHA512
ff983c055499d51dd1a3e1c7a78ae45be32e69d0830d406d3a5f65725348eb50dd04d255c6ad30210b8f19b1d4fe94c307f92a5edfacb24addf12ce3cf86812c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
f54ef1afb3923cb8b86a92c43364d6b4

SHA1
cd4587ba72e89b78d1a2a2f0464d2d6931fc5952

SHA256
3fc20e445f154d8acca00772fae6a7d2d53f15acd9e14abd63a5a957495603bc

SHA512
417574ace7433ffa45731e0dd29edac2754db3f7b1044a316c56cd91c2465b116133f0338ff97448ff5e2220a9de0210c1b19d680779246748c3c910d6e98b2d

Download Submit
C:\Users\Admin\AppData\Local\krdpmjko\nmmladkd.tmp

Filesize
625KB

MD5
53d897f69c5c4010b2619301faaa3ccf

SHA1
fce849d2b73728591ae15c1a1e54891dd90c69e0

SHA256
77ce417735fd0b08d5c454c6983da9a941fa5d160643622f02ebacda28dda481

SHA512
395a594a43aafd3ca83100f455139c8e5a4086ddb2b14384877924c362cb2dd94864d9b3904adab5cc27fc881456e28da42b194d84193290b11c17b215b8b0ae

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
a6eb1c516af5cfb003b0c57d9ec32b78

SHA1
3b20c1dec1146399d15bde8ab9643223a9fd9044

SHA256
17904b33cde365d8f768175e35e31916500f9f36fa895df315ccb214407d3de0

SHA512
b417c015a4e57b1d581a7bf33f6001bbc5b60234063fb6706fa1892d91744dc5603c3586d5714bb338b715b333f3f7fe93feb3b9ae1dfa1e9b73e2afa3608637

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
440b763ea7da62e78676c4c0b9c272a0

SHA1
a62fbd0ddbdc467d5051451081a77367ae650c31

SHA256
8cadfcc930949298c7ec15040d89752070daa723f81c4555a6799327c6d4a3d3

SHA512
146d40ea18b953b6a3c2c29415ceda3ae6e2408e4010c7eddab5d1ff5d6f43b72acd9fbb1b7183fe10906ed6e2599d57620bdbcda367fd4327c7ecb4b9c510d4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
cc48cbeecf0f5f3b1b2eee466d54db63

SHA1
f95cc3012ad91b377819826fc35355597227f25e

SHA256
4c4585a510b1ab400fd68b4c0a28c776eab355660bc4d775e61dad08a02dcfc0

SHA512
b32752f272b1b6d201b6174139c0780617039420db9e63cc75098ddbee555696abe321c572714bf3dd420d6b31713d1e0a45f9fd8d3900a41c58e72e77616dc4

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
302541feb7cc4305266d517336fee44e

SHA1
70dbab1e3a9b710db46e2baaee3960246251f344

SHA256
1c4515c316f30193cbe8c7d1bc058237f9b9538194f2f56ad5a773154434ac21

SHA512
4bcce64cec047e38a1a0445756a48c2cf79d5b1ca183bf0af90b9e250a88707fda32b33f2b5913c02e9727a0f541423ab4b6e1b5dc003e215cf66186d6d9b37e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
ce400b6e3308866049a8ea64b6a5764b

SHA1
ab540687befebc3432ef0052ffe5640765885af3

SHA256
659170a5f0785f8513c26fdea13693705d186472568de8bc60b5289d300bc1e9

SHA512
d4bb7d8a3e04b7ec3eb71a4ca89165e2d285ae95f7226d44a5fc023828f52c7770621120e66f74437172b34f7530522fd2727acff4de61742f7124b05f9f12b4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
463KB

MD5
13057db566f5efdb82a59c5d0e980342

SHA1
f5cf80033509766a96ccd79748bda642bfb755b7

SHA256
c85e8a72ad33605e7cea3028310bbcbba06f8d5050695374bfc80d6db913523a

SHA512
6c511e2e1786107c75062f8f0e71404a59f4392675cedcb10e6b74923778014ecab55c7094e358871be1b9dbd9e7fb0cd67533302e7aa97001b30293c8e79867

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
fd8547f7846ca55f1dcfc46de3b7daf3

SHA1
c7354b64cf25b2aba412875687d9075d80e09897

SHA256
cf48564ff7ffcb5c660b447dc2d372a4d59eaf9905c20ff9305e899e2ef6f412

SHA512
e801949dd7ba976d29eb781924cf1543129156de71379231e41628f97152e2e92324408817c456de6785221aab0a5d34593f972a19aeb62590fcf786832e2611

Download Submit
memory/712-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/712-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1056-48-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1056-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1056-56-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1056-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1056-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3836-64-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3836-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3836-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4580-49-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4580-47-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download