Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3115be8e84a351846f15d7373bbf2b13.exe

  • Size

    625KB

  • MD5

    3115be8e84a351846f15d7373bbf2b13

  • SHA1

    5180894e6f2dd132ca380c437fc4bd3299e492f5

  • SHA256

    a6095ba6b9b751f0df1a749d7c6be98d830e736ecb9d22695279ca04611db5ca

  • SHA512

    f8cd23fbd11596b00b5152ae9d78183f60a55feb4538a5450649bcd9cf7dc769870d829f4843fda37cd319f7c1b0e945bca76dcc754d832f744eb8480b04bf32

  • SSDEEP

    12288:sVt+w8wyv/U66WoJM5fDPqj7VkyIJotJq9X5DL8T9LvxtHa:it+w5ykDJ6fbqj7VkpayXJUtt

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3115be8e84a351846f15d7373bbf2b13.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3115be8e84a351846f15d7373bbf2b13.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3652
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:5060
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:3608
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1896
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4728
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:5028
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2952
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:4276
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5100
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:3208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      551926dceb72a86278fad7e4deaf0b1a

      SHA1

      65296a9d04fa58ea7e0522173f3e6b3f60346aa3

      SHA256

      3c4c81f261ce2425ed959579a851b6ad500923127fa69e2d9db6c9ec034f2fa8

      SHA512

      612f2d0bbc02e2a54d3ebde4b4d8aae5b1a25972ef2d27057261a007376b5b8b44cf56a71b5e0a0ab0b69b29537313fd281a24d65d3cf3a7a10c0b9ea44975df

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      b122767489a8be1f953fd15423b42be7

      SHA1

      a53a62d94a62f463f9b1697a4908fb084a9f1161

      SHA256

      6eee754fe82e130c626d8b6e9aaf9d57d11d9f944cf27d1fcca9ca96776b18ba

      SHA512

      3a553b89ae45f8c8b151a09dd77bf662b9f6dceb3da489ffe4b0c768c7406672a2e40387da56519a65ebc4821873ea1b17a3029cad801200144c87b5903b8bbe

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      c0ed28c57f0a458b559eb12b831f9225

      SHA1

      f58929e25f2749523d3d30dbda1d946f7da96175

      SHA256

      164d7ff14e4228fa82abd1c251f8a923c7564332e5a6c84e5660e1d86ef04d15

      SHA512

      7d599e8cf92bd4029a5dbf68d54f2814b46a96ee74c56f0f3cddd18e1fed98fd007112ea0646ec694fbbadc3e0c48189c26cbc39a48eb3be721d84aa3d41555e

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      b7a7ce7547fa6a112592c1d6c88f55c3

      SHA1

      9f7baca3a13893ecd14417b39fcb9c5c28ccb171

      SHA256

      f03b492d5efbe2cfefd2dacca41b343ca5c3bc50bc002702668c8965243a4c22

      SHA512

      978f482d84438bea1baf0a4cd5c302af2e9150e3576b66dd4f43df4f98a0666b4197188fcbdd23ed5369b2db912cfc703fb5ea57e1b881575ac1972025532920

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      e7197082903dedb2651bdd103f6865ee

      SHA1

      4de435071cdf3de0a480020c72b850af226a46fc

      SHA256

      b037d8a068e2543280063273a42c5f1895346ad58256ee782d75b3059fb6a056

      SHA512

      4c3c1bf440db5d714f90f504ee02b100e348dc245dfcbb76f53c255c9eab715e539c45cb41a3d086f052e98d18d03a06391a5d0e6de6eb18b337c5c27cd9c7a4

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      ceaa810cc57c1e96c395c0cf44ef6c83

      SHA1

      e7fb25421e37d761582e797c8feef70fd67cc8c0

      SHA256

      c24aace48c676aff3d8e5ca6753099f9490d1fa3bade4bf35a8307a66f6643c7

      SHA512

      464fb1679667525c68efc79547d56fbe63ae75bc095636a8c00890c571b30d6e152267da821cf1e66866ddd8e07f705c8442b353e27ab46da198ac878f348329

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      c464bd9d3f4f4af97d3dd2eb393dfa16

      SHA1

      8b071a467081ac2257d7a16e1824b306aceeb940

      SHA256

      642f56f05db75ed3ec4eff9fda75a92e8c6fec611c3a445024992cf3aa26b0b9

      SHA512

      b42140ea8b86066943f7e234df74486cb8428951ad74439491c1f9a5d3d1b18c2f40fde0787223a9d485a039701d189fa022222aaba8aad640b7b15eed89f7c8

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      d97381637dec9ee5421703b07b739857

      SHA1

      60a5c52c49bcf4cef7e3d7528a771e3e2723eaae

      SHA256

      8dd363453ea2c15ec89d8d9a09c582819827579255b88786a17277cb8a98c5a9

      SHA512

      5a2c54769cbef4b40fb5f01e016db5f424d30b479675af4d037390395e54fac9837aa57638346bb742b50bc781adf133ece95706d035eb0136af3e467c25d664

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      f8fdcd1ff5d3a55722f293e3b8a6fe47

      SHA1

      07f80055c3fcd184f3ec32597fc31582b112283b

      SHA256

      ee13cb5275abe3a2f5ed1bdf64433258bb6fafe14340fdacb791ab47ad2f6ff5

      SHA512

      2992589d9c9b3bd3020a2e9c844a5080ca3df230b40153a326338c9474c20de4f77d40b716a67817fe686ad7d293d352d41c433822cbce95ee15d75b7300d22c

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      cb3f65bbdb81276b878cddcbc8a357ee

      SHA1

      40874b5ad84c3249866cd442c06a4cff65fd7d34

      SHA256

      8f777d48eff4d76dcacbb1b28d14cda54a0188fcb0950f35c94ebfcceec1b5de

      SHA512

      9df35b176f6dcaaaf61585db1a2d6de4c81aade25db09add6d2b8ed336e02fd6b5a3d90f633b914fbece5052e952fc7ea1af01c445affe3834103be901c57b28

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      bae75bc63885b3bb7a4ad13ed8533788

      SHA1

      ecea93896525ab69f32dab87f63a67f2448a3306

      SHA256

      8bcddfde66ac6517f8e605ea5d1e3b35d9169354109c9cca00db280e2dd637ab

      SHA512

      0766427af035743da567203eee98945bb15a2a03b91525c3c327b579dcff889922172dd08c402f11b3a935796563df2177d8eada5c5d129b61e34ac3b685914d

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\jaidfald.tmp
      Filesize

      637KB

      MD5

      640eb183d489f21ef293c6e44ac34370

      SHA1

      0111e29d6bb1a68760ba86b0e9a14a7a999b9559

      SHA256

      3e176836ee83e54de2664cd6ec29c95f5cb6deb35b6a551d8aa1b8e2eaef4f9f

      SHA512

      5c63468ad7be56fbda974691f37e1c129095678f6c87081b420eff3e7a98d02c78f30e572f4602dddeb9c861fabf4c4d245b3a1f5e6bf40d17f8e76a451a0e3f

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      c724e4b7282242f986fc7c3676822ed7

      SHA1

      b39e0393ec9b53a1f4c61d3ad43b177203eb8da2

      SHA256

      8e42ed888257f851a283c3b0a00213ffbe29e843a23ebbbb81b054a632bb0144

      SHA512

      76bf81e6ff896ab38438da0eab707a84ce835fed2b25a1f15f14d8816d22c52c6beb9e2d145899a9c7b44ca51909984732efb55e088d27f23f187629e07074fb

      Download Submit

    • C:\Users\Admin\AppData\Local\rjkclmaj\dpnohjhb.tmp
      Filesize

      625KB

      MD5

      04076eaa8ce7ad669b3a4b4265f0f12b

      SHA1

      5927e358637c0eb0e0872cf009b5b20dbf3ec425

      SHA256

      4cfd9a66719c23e921d35d40144d129d5a27e51d9817014376f736abb47104e1

      SHA512

      b072163be11825c8a87dcdc5f28615879bf91d777485fa94cdd7fb517b32880b78057e0e9964d1c9bf0aa9ba864838da2a5ec158a80c2adbc3a4992d04eba196

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      c01631047bbf65cbee389e65d07ca4ce

      SHA1

      eb32f11ed4db759af856dcd160424284c1c694f2

      SHA256

      b0dba40a05becfdb9377fb2d342065522a4f529a8db79da24bfc49f909259291

      SHA512

      4288c56d684ec6106b7b8c62dcc5850dfcc789f1413ca4945679c186b5afd50da6d5ffdd6f668315d58c7ab99956f3d99e3b0fac953277c240051fb8d1d8e429

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      b9050924c4132eb027dc1cbb8cf95680

      SHA1

      c29b035ade17339db5906def3b5dbdcfd424085c

      SHA256

      81991aa81fe810e2c197184d363d89c48f012267f46da3689947ca2b8701aa12

      SHA512

      4e82108b1c857a32c3a04ed8e6242f2cfec5d53d086076582711ac37ff6e96a96c6a07c71ce39914055bb09ef5bdbfa18d5c348b816ee1826cf85f1428004133

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      e5567bbb604f46f1c9217ba91acc24b0

      SHA1

      a11e9bfda7d4e6aa17393bc3f134cb35f9618b9c

      SHA256

      bc3fcedf67868e5a15fecb79bd1c912b2e67561969bf9513bb681bff251a76fd

      SHA512

      8ac59973c201f431c7481c3a8eb3fac93cf3dacd98762aded99b00c6754e9ccd93a141c669593f2584f209d9791eb844c2be4933727ad33949f83e73e6e2e873

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      99fd8a5df7a1b58de23a663d6d0ad58f

      SHA1

      849d8303a46a37b5a1ab3432b11fdbfa62da7beb

      SHA256

      eff351f276a696e953be047f1c5a842f2bf68555855393a44a41e597a9503d94

      SHA512

      1fe0956e72905beafdee2ef2d2755312378880449338aeb0e14f06db1ee7957513fe1ec2e2e01f3ba74ef6825e212a074ecb91f7797362134f7e38df19474eff

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      deff835a0702662fe05d0296f77926af

      SHA1

      1c88221b54414e76ecdfc4b3ae67f04730b9d63c

      SHA256

      d16448d9899ca9d499be78b60001d653a999a55b5f152e91ccec1cbc0b8f20ea

      SHA512

      6dca2cfbe8a088d6ad543489ee8773b6c9fc73361bdfb5039cbd523611e064543de170c5b370d4e4ba0fd5a94b083480a8a72598b218e3e5da710125634b380c

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      2ad235c20bab26a19ea6348c767bc87d

      SHA1

      4bdf4896d832f16207fb514179ca381ef6e0618f

      SHA256

      802a99397ca2b9054285f7220c4d81e79048a8119b09df932167030f1a4e80ea

      SHA512

      65c66e0132583f47c42d10329cd805a7175ef14984048ea71cce6eede87070b2c355e196961e8e2a6847ad46220400d68b151c91d9db01564ac5be62f046421f

      Download Submit

    • C:\Windows\servicing\TrustedInstaller.exe
      Filesize

      193KB

      MD5

      805418acd5280e97074bdadca4d95195

      SHA1

      a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

      SHA256

      73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

      SHA512

      630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      3be1853cad54cdb056db2c6f2794e63b

      SHA1

      a842ec1c02c9f896f92ea8b4e9c2c20cd8605d99

      SHA256

      9a968c0eec6c7f3727a47a9336ee66ffcb1a112a741d33a26fd8a41b349c1602

      SHA512

      0f0e485441d0104ccb812ce7d6436f1ee2f884d25acb7a72955321332ece5b24b661f7b2d7ef65a2411a0fe1436512df1b6953d1c3e7f454d0172da655fb7d5a

      Download Submit

    • memory/3608-40-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3608-87-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3652-56-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3652-48-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3652-0-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3652-3-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3652-1-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4724-49-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4724-47-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5060-65-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/5060-23-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/5060-63-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download