Overview

overview

10

Static

static

3

JaffaCakes...c7.exe

windows7-x64

10

JaffaCakes...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe

  • Size

    880KB

  • MD5

    60a35a694c0036f1069e44092d400ec7

  • SHA1

    ab0277112625b9d8197b169ecf3877fc61d88d5f

  • SHA256

    9296bd38edc3ee0edf035fddf3d749ca0e832455cadf71273405563da6f5a7f0

  • SHA512

    fedfbf59cbb42a65342d05734e6f29797ab9276c4f4790ba7c3c6cadc09ddcf31a51a54d8d01bb7315e3981554e3ffbd70fc4bf4d094241d51b9ae3791424985

  • SSDEEP

    12288:lKPRz7pW6NpUUIIeAldFzc+spaUm5A2SKluFFS8h:URzlW6n9eQd/smBiF

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a35a694c0036f1069e44092d400ec7.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3620
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:1832
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3736
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:4428
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:1648
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.0MB

    MD5

    e023581edda4e14402b581ff48b2c3d3

    SHA1

    93d094ce65d004766579fd827bc783d970f5f81a

    SHA256

    6e3746a50cf5359435ee589cedace6c86bad8ff14d73a920c5896307cc3c4760

    SHA512

    f97c0fc82dd2915762c0ee311322c2bf90c96f1de04084267fc5f1d6c4f1365cd0e572ed43832d1aded8016987fdfabbb9ba39aa5a6331b83199852ce016a439

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    723KB

    MD5

    5bffd829fb87b890fe95ffd7e364fc46

    SHA1

    9f1caee271d615f7e7c9de2dae3ff9500a101f5d

    SHA256

    b591531d4b3bec85b387c01b40645d9d744bd778c97a9aae3579ae9b61595370

    SHA512

    0c898561911c467a55b5cc4faf28b316850884930651b038f2c0678aae8c788d423e99f3b419ea98871b2132622e9dff19203412c983bc1cb9b3b7bfe7452141

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    740KB

    MD5

    0a5748fd088a458b9ddf3e2f109866da

    SHA1

    694ba44d3c5209bca6e866e5cb7a8e4a966103f3

    SHA256

    645ee84ace4ca85dfba1f4c0a7833bfd9e2eeabb32ff60d900e104be031bb0ff

    SHA512

    d902caefbae99269f96b98895eaf17fb05a889e054bc35c14c0c72d45d9c4c59e530ddb32a9184a559628d3af4f9c82b979ed5dd1dd9325adc66ada88a926fab

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir
    Filesize

    4.5MB

    MD5

    43260a2eb0ecb341aa063b2feaacf310

    SHA1

    d36fd367f7c38d2cf5c2714c56f974fa25a78a0e

    SHA256

    45d343fe48ef49bbbde426d3f925f5c36ebff79d85c52e91f75e927797b783cd

    SHA512

    acd80628643d4cf5a241fc26b3e6120ef86b721153dcddee0cf5ceffa8bc2ef7d5599d842d6f41f4b00a24efa142eaf39d1ae1bc3e3f3fe85397b9d2bf9a6ed5

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    4667838f89621811fd8c4dd8aa256095

    SHA1

    e898b22cff811abb678b2c810b67ba680ff7b1ea

    SHA256

    69a0dccda280873840aee97c617307e31c2ece6e016561de073ac85897de1693

    SHA512

    4bdd632d3b99b012c134268c4d9a7bbde4aae641456f3eff2829ef3c3a2412dab67967eb2b7c3aafb8458611dd604117e430eac10f1bb47ed0ded0179eaf2bb2

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    37fc0d6f638af3e9ba5724b82176f3c3

    SHA1

    857147919247e4d6b507f752df8a182b7ffaec46

    SHA256

    648797410d742741e425174be7d8d2809220f041b3c07ee877739c42d8003d7e

    SHA512

    57e311159256382747203c86da0882f4c397cce6c29c21563d55c0d43c8b087db18fd6c175332c1623068d8364e37b3c2f9be161ba7a1ecaf77e9b8d5c1d4c2e

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    923KB

    MD5

    924ea28179f21f0dad9a2a3c44e905f9

    SHA1

    40c5dec7c0186a80544018a659150feb4413b7fd

    SHA256

    cf16f97154d5dab78a1df2034e45b412cad8a9cb820537742ae278de64a22b7a

    SHA512

    c288c03243986d8dd0e8f348f2ae1621a8df11accc0b06f9f4b841c227c01c177d4d557baa7787dab8741e1866d7c78ec4d2960cf63bc8af11e10baa05c3e77d

    Download Submit

  • C:\Windows\System32\Appvclient.vir
    Filesize

    1.2MB

    MD5

    fad204ca2113e92b12d26faa428e3336

    SHA1

    65fefebb14b1491977aec0b3ec7f69c0cde5e152

    SHA256

    03d936d2610e0446fad551d7e37d1abf5bb0e5a0d004aa53143c677340a2b17c

    SHA512

    206a3180cdeed5ac095fd121c8595d8c94ba1c15661a64da9dcac318f428f3f14583bfcb81a2cb4903edf4e8a9f55cce84124e94e9f07f10dc8f337792da54fb

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    874KB

    MD5

    344b7c94dc04590448ca69ae04688b9c

    SHA1

    81399fb69bca1737334c3627d778cb8765db2519

    SHA256

    d512dbc91d4c2e83454db0ec9428659340f5224d06892ae3048b08e32bd0789f

    SHA512

    e61ea9f1b2e79a0d0cb2fb72a9bd8763b14d22cafb5fbebf9279dc31c6056ca84a0d4aa9494b6b6fd938d02c9f237211df7a729d75790e512e042cebc60acb6c

    Download Submit

  • memory/1648-139-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1648-148-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1648-60-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1648-117-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1648-63-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1832-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1832-142-0x0000000140000000-0x000000014036E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1832-20-0x0000000140000000-0x000000014036E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1832-114-0x0000000140000000-0x000000014036E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3620-2-0x000000004AD00000-0x000000004AF07000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3620-1-0x000000004AD07000-0x000000004AD08000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3620-0-0x000000004AD00000-0x000000004AF07000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3736-116-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3736-141-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3736-115-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3736-28-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3736-29-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3736-140-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4428-61-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4428-62-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4428-52-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4428-36-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4948-149-0x0000000140000000-0x000000014023C000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4948-150-0x0000000140000000-0x000000014023C000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4948-77-0x0000000140000000-0x000000014023C000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4948-76-0x0000000140000000-0x000000014023C000-memory.dmp

    Filesize

    2.2MB

    Download