Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...f0.exe

windows7-x64

10

JaffaCakes...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2025, 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe

  • Size

    584KB

  • MD5

    68641faa6786e4429d6f3517860018f0

  • SHA1

    8770001b28aa426b7b3f49e73c70f4159ef296c6

  • SHA256

    8787dfcc098108ad52bb166b5864833d076ee0bffe6d24b28095d064970d92dd

  • SHA512

    5bb7c5fe328340cb2b4cdbf00fbc6194b70331100b37aa53dcb8e0d57a5cd89d60f30aaf086aafcbc43725e689f43d9da37885c61aacd3a1af6f6a0e8f99fb4f

  • SSDEEP

    12288:XzaDEFEc/v92S5iiF3Kmi6Fa/fVeLyzXS6tcZHz4qg:GAFEev9vzZKkF1LyuucZHz4qg

Score
10/10
expirobackdoorcredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68641faa6786e4429d6f3517860018f0.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4240
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4528
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4268
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:3176
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:1468
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:1492
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    8c0397c5d558bf440915a080af714d19

    SHA1

    3bcbe161e671b2e7dc75620fed3745e902f14d38

    SHA256

    cd6ce2c81ef4acc54edf41e4cc80fe254326b451a3290ad6743b40906f96ebea

    SHA512

    81c16118c2bd85bda1758330b3270afda79027b69c4847a89a2c1141cda53bcfa6a455e5da53fdfd70eb11623faeb8ecbda5aae0e977b8f0a9fe89fb1c8a8562

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    781KB

    MD5

    15eba2e4705c6d0322caf7da730a80d5

    SHA1

    db94526e38579b80495dabc3e4a17a7bb0e974f3

    SHA256

    bb1955069c9660b0546789bbd4221df5b30ef731ed71b84d89139208eeb8ef80

    SHA512

    41a064c732313dbdd6a027c659d38f0c29b3ca13f3db20aeb71d7fab1bb0f58f9e3ed53a50cb0ac8857a1dd0cdb9a734edded136081b15c939a4fb1633e630fd

    Download Submit

  • C:\Program Files\7-Zip\7z.exe
    Filesize

    1.1MB

    MD5

    d13e4a541ac77e408a9a3861bcbff37b

    SHA1

    080acaf31eed8f32665c5035c91de9c611a1d013

    SHA256

    a4bbd0a6690a229963bb5d43529f2db5fcef22cf0151da3b93ec94003c62d98e

    SHA512

    f028e35ff30c1f3bf540a54162583494495d1bb0792feadf20170555ae230db1edae96f0d89a1c040c008d2cc3830209ea912791e38142283632d3d7f60054e6

    Download Submit

  • C:\Program Files\7-Zip\7zFM.exe
    Filesize

    1.5MB

    MD5

    fde5e58d2cca82f4651562cb46c8512b

    SHA1

    b47d01c716448215240991a3a3018b22de970980

    SHA256

    e0464d7ebee35c2a80b5a12571de6b2fa1af1d3880173a0ecfd4a64de11b477b

    SHA512

    a14dd3c760e9bca3349325ace6ce6287518bfd48d393341444dd56f8be13d5420f93f1f03960a87c0b8058958ea7c68d0123586e83214c2e4fff53da63cbdc2c

    Download Submit

  • C:\Program Files\7-Zip\7zG.exe
    Filesize

    1.2MB

    MD5

    0204812d98b526af8d1fec845a4c514f

    SHA1

    d1052f4eff59a8ddff88c39ad714b7e71233af97

    SHA256

    3c40d700a594f4d087a2f55c1b0bf5125761e667570128f28b26dc981a48f348

    SHA512

    a02ab25a97704709505ebd71eea11b3ef3d1f306a59c2f291f31551a053f1301cbe59afb228066a9f7cbccae08e8fb5ef64b8f4e988d690e04c6dd9be8eeedb2

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
    Filesize

    832KB

    MD5

    e9ad9808c6db457df3a9c990883c4fe2

    SHA1

    dfcf1f0b8d408fc91b2f709cc0acf12bbec887ad

    SHA256

    d36e88e84c55b1ca68025e28ee0768ecc52fca158e70e7709b55bd9e91ed37be

    SHA512

    5c839c0c4c0f2e9a7de5f395c7d3db09d7559c3784f8591a9915fe4c3699c91bea36591823da64b6399a5dcd266ff4111b9cfb50569b0d983bbcdfaa32f4b942

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
    Filesize

    4.6MB

    MD5

    03d5ac613310e45c4cf6e3d576993216

    SHA1

    e7496593e5b213d8fdefbd8223483e7159879282

    SHA256

    d117a898bcc6d7c9f8684eaf4244b5d998949a5c4551961f4837f9bfe18f8232

    SHA512

    a669084aa64430e4b545453cb0b06dcbaf1526e7b562242289390bc440c0412c7b72ba501055965cd32ec40c43b56144cce3f2c25f7497e24b96e8cb3de5a236

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
    Filesize

    898KB

    MD5

    efc23d61681184c3c4129f1ee2bc82d5

    SHA1

    a49f2bb635fc8865378026329838c9b11cccd812

    SHA256

    dc713bd4ee2edf2d2d6155302c49def8922fc2d69df046b6be70101028dfeb70

    SHA512

    6624187fb1e318e39d702c354cb7468815d3df0692f16b5b934d7d239ac73f682c017ec2d83793d99d9012f0a3f3447741309ca07fb316db914e68c1e6b35370

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
    Filesize

    24.0MB

    MD5

    8440e2cc5379337b3cc160a2d90ec877

    SHA1

    b802becc092381e86000fc3672f553dbe1afd211

    SHA256

    87e802747f2cd1d323b96306ae3935677fd3a50cf2b9cf8a6dfe39beefe3436e

    SHA512

    2f886eb59edc3f8e4473044dbecd63319e14362167df3bfe01246e60bbebfb49472f8a43cb4d1fb80e6760c29e6521d6f370846673b09c69d504a0b358cfdc97

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
    Filesize

    2.7MB

    MD5

    4ac9c66b5b5a0c4d3d6001ad1009f633

    SHA1

    395a80e7289f0661f57ebd62dd01c3332165004e

    SHA256

    a19851923a7d7eea221f3fa3eee5d297f4aba8dcd492ae273c4ca970be93415c

    SHA512

    459c4445bf18c72f2a1de968e0228be5c63cb3e28888f2dfa5367d32f03980e17e4f569e8c2c8be534ae395183085efbd8cc61f4bbf9a9f15cb7b2c49f511dc5

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    797KB

    MD5

    fc9e65833f1ec287701d1281f68d8655

    SHA1

    a0b2806f07120e47eaf4e09a038d698287be9324

    SHA256

    7a90a71dd112afa260a6cd4f384787dc6957a7829e1217bbbc3c299f243c388a

    SHA512

    2cfdc9d5d23104550412adee9926a3728cdce1c481f2855755a99f268f70015be1f13c8013705937c9320f1860ebd1e3360e9f8cdc5129888db801a88d960549

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp
    Filesize

    4.6MB

    MD5

    6fd950b91927ee19ec1b9046e8c6313f

    SHA1

    68b8d35443e1e705ad7c894cc8d68113d3fccf39

    SHA256

    9c073d2da26cb67865fb4b795adbc2eebe0032c805e0c207c685d03bd2b9c67b

    SHA512

    6c58f7190cf521f04e8db80babf78ed942af7a47842dfe0d9ef8f4632650fad97dc372a0049b2561e39760f264b1a808406d3c29f63ff05659e50c77a4eb726a

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    158d9775734ae7b5f899cad7f6804add

    SHA1

    248d1899db3d0633711822bbbe5ca4b7dc7ba44a

    SHA256

    dc562fef44976bc926ea6b38abfa5840f7c37c45fd6798d7cdca05f4568dc5cc

    SHA512

    7ab2299514e83b85efc373405de2805774b2c2e08829227d28c91de443de77cd0d08f9fc9923b1b05c483837a8fb6e348b821e915761a8058896618259bd9d89

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    e49511eedf72aeef8ae8daa92128ed5f

    SHA1

    a4aa3d0323753c3fbbc7ac29ea91e2def14cedd6

    SHA256

    7b366c895f66b4e85744d38d946a83ba04bd155136c8268811c9deae52894bbd

    SHA512

    019b7a79a0d7d91365bc4abdb1c7783a68988be6370cb4de936c1940269372baaffbc2e61c94a4732868138453cab43961b53f516a2381449283ff9be2dc754d

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    978KB

    MD5

    26efae41fdd5a0294be687c8e7c18ebe

    SHA1

    0ddff5d78aca4adc5359d36db1d37dc5aca21653

    SHA256

    f9aa6b921e8eb9b9dcc9607f48e76e2d3f05aabc08b7093c3af07f91bd16f341

    SHA512

    e9ed360e30478a883478eb66670bce82ebd13088a10570e17345cd7fcb9e70aeedb8985665ad1a21e495dab42d7327616a19eb503a4c33d9d8b4a855f00876e4

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    932KB

    MD5

    1f501f4447a1eb931cbf0bff8c04f7a2

    SHA1

    16f4fae61c6ccb97ebb69ef1d3e3eb548e63a5bd

    SHA256

    584412c4a4f6680b50e41c23f88c68b727afceb3d14613e9589ab0482a403784

    SHA512

    3a7fca0a98c9dcda95115e512ae12ffc331a441754e8a98f3559f64f7f1b60279f033cda3d202d5a2d1c0a03e3a928c38ec2a275aa829ad2337f58d9518bfeba

    Download Submit

  • C:\Windows\System32\ihbqpblg.tmp
    Filesize

    1.3MB

    MD5

    62059d8479329eabf104827599581d6b

    SHA1

    5b3751211930c18985049acaa6bd9bcb7abf5465

    SHA256

    4b348cb911eed40a21c188194e87f6bac3e7e44ee7967f4004c894b0ccbfcf8e

    SHA512

    787d77f335c064d9f83e6d3370afbf6d3241e935f355df17ce6fa6561c18f30f3823f915952735106de27ddccea7f3b987656d4c18f2ffeed6b60c949ef962d5

    Download Submit

  • C:\Windows\servicing\TrustedInstaller.exe
    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    Download Submit

  • \??\c:\program files\windows media player\wmpnetwk.exe
    Filesize

    1.5MB

    MD5

    93960a5b540d694950721edf41833426

    SHA1

    c6f70ed33e854b6871a817fb31b68c00abab60f9

    SHA256

    6adb9d36e9513b3054e6a31cc4c5f1b4925c9d9c355494db44886ef061b96957

    SHA512

    c3c15122fc540c2471945c54cf1f242c2a5b7ef6f32f19c922b0a5df97a8ee3dd8cf8ba00c964693d90b7c9d8fbd994e070ed195c800c7b14b070fce677a7e88

    Download Submit

  • \??\c:\windows\system32\Agentservice.exe
    Filesize

    1.7MB

    MD5

    4b2d87ae587e6b8fa69558598deeac95

    SHA1

    c65ca1ad5782aa10d67d4bb04c961a6712c27394

    SHA256

    b1f53255b594f0a548f3b0a86bac0d2965075bca2ad940054b20e638afd590c9

    SHA512

    6bfdafb2c8992e365260f740c5e3abcf0e80fc6b1132ae2133f312c506c34cabf4c7707ef2548f161e980db531436f486d2a2a318fb0711eff222d7b8f44b0b3

    Download Submit

  • \??\c:\windows\system32\fxssvc.exe
    Filesize

    1.2MB

    MD5

    c165eb65befd49b8e268041bd3705083

    SHA1

    0efaccda17d5a6e961dd91fcd93d28848dd6e3b7

    SHA256

    1505d340e51c943d3b5be508cd8510a8fd88a7bc151326bca858b4f914af2ece

    SHA512

    96e017233c3ab8b44983a360e3ada639be3e1a69947fcb05c2f2e4a3660547dfadd0213c4ebcf2d59d7a2afe81be891f91a6a302def41799f5d4105d0838f218

    Download Submit

  • \??\c:\windows\system32\msdtc.exe
    Filesize

    700KB

    MD5

    b9c88b802912a4f88219efd80188e18f

    SHA1

    030abc7a70772db4b980d15d23fe1b20facad2db

    SHA256

    2eb2963e01c323d900f1eec64128c431b8b0a1ce0da84b02175cb42b71328b8a

    SHA512

    17d463d78bc337cf96703bc221a3b1a149c09d4521341717b0dc0878e7b73587f1dc01d0b6abb77fa72288728d4f81e0d79389abfaa62a863bc57620c476732f

    Download Submit

  • \??\c:\windows\system32\msiexec.exe
    Filesize

    623KB

    MD5

    df6a1f4a65a187d35124250e1c255993

    SHA1

    4cbf5da577645b20a58466450aa5bbd22b54780b

    SHA256

    4d2b92b8ed75a7b88b687b126cf80db1115e093d99fd51d33eb115ff2c350347

    SHA512

    2975cc8dd9585629fdc391ab55b47c2ef52f0672c0a3ce7afce9f31fe776de126cc1f6a316ed7ba2aece0abe670c8981dfa26a559c37f9ed4d685d3b9a3102df

    Download Submit

  • \??\c:\windows\system32\snmptrap.exe
    Filesize

    572KB

    MD5

    020b0a1947fbc0e739d6ded289e09ae3

    SHA1

    14fda93f04f3d40d51d018e6cb0d7bf46711e262

    SHA256

    04bee69371a0e830b98d935ab1b2c4d3c6736186f7056f931c2fd45ed3da5ede

    SHA512

    cd24e77fe1f7a89e38d6e90b7bf1cf76bc4e54bd5b0d6e4b79b7058c14d50640708dbb862ff04d21e8e343e2f17c7d3ef348554ecd63ad1fa0280a11757eddcf

    Download Submit

  • \??\c:\windows\system32\wbengine.exe
    Filesize

    2.1MB

    MD5

    65a6a6ac37898bad4521ad4c7c9254c0

    SHA1

    5e1dc051835a75518f087febbd710ab468cde70a

    SHA256

    e02c6e35659cb8ea065d3de5de6f3beb589894f6436c87c7755936d03da6a691

    SHA512

    8c99e1772e4a271fb08cb7432ef5831887b9988a802465b9f5b0588aaf4311af10bc2ce17cbec87ee0f8a13718fa2b2fb38d8ebeb1ea293ac0815d4b6b4f4369

    Download Submit

  • memory/1468-157-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1468-60-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1468-62-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1468-156-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1492-168-0x0000000140000000-0x00000001402E6000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1492-75-0x0000000140000000-0x00000001402E6000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3176-36-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3176-61-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3176-37-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4240-0-0x0000000001000000-0x0000000001251000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4240-2-0x0000000001000000-0x0000000001251000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4240-1-0x0000000001003000-0x0000000001005000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4268-119-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4268-118-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4268-29-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4268-28-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4528-117-0x0000000140000000-0x0000000140418000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4528-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4528-20-0x0000000140000000-0x0000000140418000-memory.dmp

    Filesize

    4.1MB

    Download