Overview

overview

10

Static

static

3

JaffaCakes...04.exe

windows7-x64

10

JaffaCakes...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_37bbed81fc35bf98cd3cf874119b9604.exe

  • Size

    406KB

  • MD5

    37bbed81fc35bf98cd3cf874119b9604

  • SHA1

    9fbc0c9af3393a2c67083291112fb624e535b460

  • SHA256

    fc086c346144e6cf4415a81a7e9cbccdb50f820d8440df8e4460b9627b1f52eb

  • SHA512

    1b8cbc0018204113caca12a05fb2d6e491174411e9561935ecc4ca69bd1e00f7710966d3c7975b64c6dfb0535c7ecb67fef0bccaaa874845fc26430ed70af903

  • SSDEEP

    6144:5Izfx0tsmxGjd9suGjZIDhAJSbnVrw8/LppZ2oqIqOEhspJ:UfqOwGTlWuN0Qrw62obqap

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37bbed81fc35bf98cd3cf874119b9604.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37bbed81fc35bf98cd3cf874119b9604.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4376
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3588
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:524
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:3960
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:5096
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2844
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2320
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3760
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2640
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      c0f7a48c956a970f541f60ae58a32c0f

      SHA1

      28ece167756efd213ac92421ea191fd2e173c59c

      SHA256

      c711bc98792db8d483e7e93468f3908ba6dc57bd065ea4a78fd7d89c6247f61b

      SHA512

      4fb79dc6f65d1dd5faf30426f47901f5d048a4abb9da37d7a6f87f2583dea425d48ffb8c20df105e0c4aa2c709dad6579d799d09dabe762b586ac14694ec6c0e

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      0a8c761b173bb542c688007ed61eeab8

      SHA1

      814c142ec1dd0619228c904b0bb4c62c7d503ac8

      SHA256

      9fbc696d2ca01b12a9a0850f72b53691b81025a7feabfb39df1f31ce9f1bd995

      SHA512

      2c33a4fc1e17ce708ddd70b3c5cac975916990f31b5d68d4d7be47d64cf4feea02945052df1720ff24c717ca7a4d51aee5045a08cada4d14beff49ca0aad0b07

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      7399c24d8e44bf37df5ce599007ccb79

      SHA1

      aa8932fe59c7bef1b243e2ee9d29b4091c396e63

      SHA256

      0c71c55879f246ecb1384314f2aaff6d4424709b492e5a12eac33a7acea05c08

      SHA512

      e4a5689d3d65a8bdedcdad0615f4705e86d5bc03e3b25af1ba1495c4600cdd4af79d4104f12c9f0d57ba3f03eb7ad713f5c1a460cd57eee651f0541eefe1088a

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      ec8dd481b3f8900c7750176c1082c926

      SHA1

      1d6a1ee913ca221ba655303277cabdf4c4e5807d

      SHA256

      8854d70aa23bafc39ed7ec3c567abb13e818ae86fc2de842fc21c179d99eb282

      SHA512

      ddda3320b4a9d9bc289084485aed661ddd02cff498091e5879831159f5ca59c8c55fb96c7393b2eaaeabc6281c14a0edf951a9c10648a4dca5b4ad192839fb7c

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      6e56ed29d88154cacdb22c18656a4368

      SHA1

      81ddd85992e09cb4a4dd8f429b7e808d5929d807

      SHA256

      64004a5557dbc7d956053f087189e5aab41325cea7b57cbd25146e79a52c1790

      SHA512

      1a2fc763051f56544fe2a84a7ec328ee64b0e64b87837f7bdf4d8d931478f95361a693f2e9cf594c11c3b8cfd982fbcc41dfd43db8fd26b0eb98ba5067746b94

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      46dfa9d2dd57426ecdc0f7127de9fd43

      SHA1

      33976bdcfd52b36b12477da2ede2fc740b33de8a

      SHA256

      37b8e57d841031d909096187614319bfed9fd03fddc1bbe1a34ab6148d4855ee

      SHA512

      06e673cc444eb27fba4679a3f8396ba60b75481f6b02e246a7fdd14041f4dcc718733e95ebb4657ed87dfa4816d13eea328686d4122df03a50d46d8209f82477

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      950110e7a32132108a711a0820c3d24c

      SHA1

      c9551f0a2e9b7b150657c00fc11bedce27151084

      SHA256

      346f2820e6887db7e2c7262e7bac942bcfa3552a962a22717be1c15b496ec3ca

      SHA512

      08fbe5aabbae593bfc3f030c51d6318a7c8047afd1bc6bd57e29ec2450f38da71cac062effd2bf79dc974994b346d50c214782d1c956cbf710903c145baf94ac

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      3f999d052c4af799e5f52e587a83182b

      SHA1

      1c906fe51d93f78604505211ef1f9f0448e20bc9

      SHA256

      15c4eff3fd7bbe4e7d1ee10d29364d36c11b33118d35c1fdbab2d2e12fb36e0a

      SHA512

      ddbf527d9a704ff3603e01be5d2afe97d51ac6d37939f9fac57b594efaad3d0a1cf28ff47f03f75c9a69a56cb238c3ffe80fcc41cc61bbf272f8a63cad8ba955

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      a4b8b318a6bcfa7b4c47401f1e37f31c

      SHA1

      ce78ebb6ead0d3a074a539e7babb612dd587cd1d

      SHA256

      c4728302f0c259d7200e99d3210928b5eef391f5fba41d42eedca151f9265bab

      SHA512

      d6cab7b3c9b533a85dddb75a69069f2ef99bd2b512f8e1f5c098153589fa55e49c3b839e163341446c58c94739bfa2ebfe69e66be64987af946d04098f623052

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      22fdd6a8bca7f2c39a3b71e8adf6b0ac

      SHA1

      e62236c6f70bd055cbd4754da7ddeb29055d5050

      SHA256

      5c00d51cac84c97bc365400ad4d5230a91c2f338843fcf9ac76321903b77f0ec

      SHA512

      4bca27e4d40ec6031f9082ad29911d61bc9c1fcc7cb59adcadf6d3eaff7377bf5194706f5388eb5aff64e7ff4f1b2ab90e74ec1e7608876a14912ff01b5a04a3

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      4f29aaa40ece29bbdaeed239505d1aa5

      SHA1

      856dceb77ce4ebefaff96196209f38b85cd91099

      SHA256

      c940240a4d7c67d9d4eb83d29ab4ddf57be04398b3ea07f6b0b1a927a4f7280e

      SHA512

      02a0e1f53bf9cbbaa78af1135f58a71c5301b810c0bab9486dbafe923739afb6a130083d296d14f69a7db3c891b0b21d1d7f0264015b04d5a551f712e5492bd0

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\hflkcafo.tmp
      Filesize

      637KB

      MD5

      40d9f8f48bd2f6a4ad31441988210cd4

      SHA1

      ac1073625ac2b13f07c836b9dc34bce3951a9b7e

      SHA256

      558e69ea71262c2ec46963e94c909fc443659474074ae046c2cac954a67f23ec

      SHA512

      cd37f4a31b7aad60728f420f6f9b2138d0c3c8cbbac7f9363bc0e24c3a1ee8feaf375ef42a0328ad563dd4306bc81f8009e968d36d3c9a727b3ce618e13fae51

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      98bd49946138184341029f2269f01896

      SHA1

      bfdd369d0e8360d1ebfd4fb7045878ab6999b7d0

      SHA256

      db9997d52b5bef7355cfe582f78766a0065ad008034ff59c7f58b3bb18837fd1

      SHA512

      7b367660498bee63332164b9a21d84b6d2590958c4d1a253f68069f42654eff4b77d8f2a82ace21aea0cd5bfc7375e21d38cb635a1a6f4b6d81cd695999d0d59

      Download Submit

    • C:\Users\Admin\AppData\Local\jokdielj\emiennfj.tmp
      Filesize

      625KB

      MD5

      1bf86bead8581751cd249f5f1559feeb

      SHA1

      b3037f6d4a729b32e9062b442cb6c5828c4eb212

      SHA256

      aad61e709007eeadd16ecb27a5fa494998e3d42f108a4f873fbc10ebb550c040

      SHA512

      fb83191db6806a3029d6fab03b6b111522c9bb963387f7b7979dd53a49a433e055f41e013efaa558d7382cf6d895f77129687f8be6068470ba57fc09b75c9450

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      c5c84f1fd532af5265964f84dc7de0c2

      SHA1

      709b50c54d07446eff2440c028d86324cd20e209

      SHA256

      22d8c85e30ef3f1da15e1c18085139b3c58514e1fd0a7a29efe006b3104dc1c3

      SHA512

      be0cadb60e466c9b39aaea8dcbd43521f71f4a9568914ccf7888a293a529c7c3170aec4f1da068893a555cf4b3ab65b86c69fcb69942116d2e9847f0184c5831

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      b606725b2539b3a96fd82c7c49b04085

      SHA1

      3efd7b95eef9214071fd5fdde23700b330223888

      SHA256

      5ac4d2df2a25bff43c9dfcc7089722040c26390c6804515ef7300791cb71b3aa

      SHA512

      64b170bc1313df7f457023c55537b3cf4246c78d16f9b7dcc1412ff64c10b34945f97625e6ddf8da8e8cc3ac7f1e25fe01634b8c8ec3a18cd6d365a28d7cb73e

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      09bff3e5e8121e07e2198a62e8dea921

      SHA1

      b94f8c014f273bae269fbcb6d77326ad3779a0e0

      SHA256

      61094614fecef4920f6e4c63f41f232ca61f144ecfa8b511a34a7d1099c3d2eb

      SHA512

      182dc6f181118c76fbdd3532a7e7ff6050210a0e66effa44878095cb466b144d0289ec7d163b19e352eb9ac6a72f352d2dd9bed8dcfa88128e40aa4963e1ab06

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      e7687a97e1299afc97328b9575c7ed6d

      SHA1

      67e582d8aabd3bb7ed9b95526cdc2e2b663b41e3

      SHA256

      ed501d51d8703501120f35f4a9c0608ac488025e7da49f6c20a8796216bdf321

      SHA512

      bc6f3786198fa79b3071b15a0fb45b779649d27b3d13fe5c77b050c8b00138deef1aa8b2b118e7e6cf9bf6c87226c78dd26d065c760aa167b02fab592c180e68

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      41a93abc4df5ec0afeaee59edf6ac27a

      SHA1

      37ac3077a2c5d6475932e13a12dc83b47f4db51f

      SHA256

      75aa40be76e10b76c0f53fccc84da42bbcec7de29aab22836ac7ca49b3b67b9c

      SHA512

      d8910bd4d4b2164b7868a76298e5f0a2666754b12fa57c4165609cd036ed87495534b0c003aae8de6999d4b3fba500ce3e19201c49a601a505b4655953396b6c

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      ab5863264dba5f11aeb3fb473290032d

      SHA1

      11d272d1d3a521d5541301c549b5080c50ce85dd

      SHA256

      5c28c43c3a90bc4c0cd1f0b364c714ba0e58d9625b1863dffb7a2c85daaa1b5b

      SHA512

      61526df885eacea739b9f83a8f22eb3606f8835377d26ef26c2bddc3b794c28cd0deeebf6b7a38781743c6adba90d7e51e3fab9d26fc43fb6579bd24d797e5a9

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      20de44641529f608c9bb7936e89fb71d

      SHA1

      1ffac1419f41953a88049594bd5a919b6147f24c

      SHA256

      f6087e79bb1dcddd20eaa83c1c048a49e3eb16f6a5664cab1da2da700198f1a0

      SHA512

      52ebe46cad1b61d43da20df37ac171481536224e24570980befa7edfe3134258d82f2dfc01bcc23ac10d7c3a5bc9a3a4a98e57ba1d7c67e727fd2c5770f297a0

      Download Submit

    • memory/524-59-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4376-0-0x0000000000E1A000-0x0000000000EAD000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4376-5-0x0000000000DB0000-0x0000000000EAD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/4376-4-0x0000000000DB0000-0x0000000000EAD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/4376-2-0x0000000000E1A000-0x0000000000EAD000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4376-1-0x0000000000DB0000-0x0000000000EAD000-memory.dmp

      Filesize

      1012KB

      Download