Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 10:06
General
-
Target
JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe
-
Size
618KB
-
MD5
644e4d14dc2e71ecc9d70a2da540a360
-
SHA1
16c218c345c43c62bc8521ca2ae6f6dafd0fc2dd
-
SHA256
330558405a5486392d856908bf7592473c817685d266289b425e93a676661bee
-
SHA512
ba6434209666d03aaeb921b0434b4dd5c27e816a3bb92a86f89abb03fb9b6bc8b9c3f9d18752f6e36fc84d82fe9138b3e65fa22921b0eb6f3d99f179f8762e4a
-
SSDEEP
12288:mbhv02bZop2mk2jALtaOWe6x9aGMjefpxlLpNjt6bVqyYSiOPAW:mb502b2pdkKARIe6qGIYxpjgVDYgF
Malware Config
Signatures
-
Expiro family
-
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
-
Expiro payload 1 IoCs
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644e4d14dc2e71ecc9d70a2da540a360.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD500b7209c309570c5ce8e3a50f501edfd
SHA1b8491e2edada4c1e50a1994ad1549d4282511a9b
SHA256898a2ff02092af06ad587e78e823a2784e55040b755c6af39123b5411a40c004
SHA5123cea806d4520d14f752ad4f8c127b563ac424727a356af685f9b3565fb1e09165a5cdd5716e2e9599c662803b8f9f64b27bc688929091cc92d3f7e75023bae2f
-
Filesize
781KB
MD517b062e1055982aea7fe639f67b33a33
SHA130d3b8effbd8cc125b88633ef9c1388025f798de
SHA256bb57d9cfbc3b9f4111bbb1c7e4e8bb8e2a2b65f56c7ae143695d9dc18e83509e
SHA5126c063485994382c8ab23bd61c3a0a514afcf319143b50a2b226cf25c9b36aab60fe560ef6d52d8db7f787ec45260f309d0ee93bd21e80ac6960408b1e74accf0
-
Filesize
1.1MB
MD53c6c9850d67dad538bf5e4ceea06623e
SHA17e0f7cb4f3c1cea2b53545fd8233a25338e72ff4
SHA2569b45ce9c58dede2cc4c5170a0382214108937cd5786bcdcabc1aa8d58b434b8a
SHA512a18e59c1c27f7b196678d202cab006cbf7d0d98dcc3ce976587bfa9d2d972801a9f60f5da638c744d91029b39acebbd2f6cab7a8afc435ab98b0e6d678fb6fbf
-
Filesize
1.5MB
MD574ffb49eff4e2328ff1270b4010f03ec
SHA126e5b586d6dea5179d86b68853917793cd689b0a
SHA256b895e7d3da5b13888d23f4dd98417f80f9d22a8b947c2b08b313cebf5ad1a851
SHA512b9f5dc5f6ca0a4a5020f1d46aa4b90023dbd610bdfd6e1b8a225a32a6f7e6a94da20dcd82217fa839da9a9249913317f659d2e2da999eaf0d37a3105a49a59b5
-
Filesize
1.2MB
MD51a3085653c40ba60cb5f09711f602a63
SHA11c79da40998d83c34d28de29d5cdecb549f5100e
SHA256ffe242b19dfbb45db12f55289d32d1991b927a9fb9baa6e72b2fbe67efea79a2
SHA512dc478151312e1a134a9ee7e14bbb9499335508e6843d9993c14de0f52276517072b96de2a66dac0a8dad6953412086c375d88c2bf9f7144633e4737cdd6d2bfa
-
Filesize
832KB
MD57da83f9f541d80aadbff3f9338d5061a
SHA12ed33a7d7577a946e263a8e7103a941ab61c34b5
SHA2564966a0a14b73aac3d332fe205dbe016f8a69c7226a3236b5b744e14e2f87778c
SHA5129f27533dcb5b902a30247a652c7bbae1e4a9d24558ff985b6d04fe9e7a5e9d846550d4015ef21558edb4212b265df9156569ecf92602ac76ceec519e38d17a92
-
Filesize
4.6MB
MD5a203dd29dd35b8cc948f6c3a082780b2
SHA1b72df21a2a3a734ceb07a6339c42219d2db9e044
SHA2561dc143d818ead09dbaa49f232dd6f4308ae8ef1973547e480041e2ae2c0f2816
SHA512cd30798a36d5329db9efba459076a463b7270a3f9922a5c2085439a43cee0e358e44317b1f3f25fd94bd09e8bfef52403364bc31fa18261eed20940607db51b5
-
Filesize
898KB
MD5413707758bcc8ca01d18edf949e36732
SHA1e382175cbb5bd835d1f3e386aeaca0775533c12b
SHA2565bc8bf66ceb23d05c6dabaf7c0ca4573d6e738f98ef0ec23b9c58ce317d5162c
SHA5125789cd26df5bda22921d0701812d420e59353dbb8b4e2ad2e7c6700e50f3aea1df96864c18c5e9ba942809fe4af093bae7136ebd6403a6f334d3a551b9393bf2
-
Filesize
24.0MB
MD5261dff7e2665c08c3a3acd745dded40c
SHA11c34b8943fc3e63170b8f0e12af858fa7010e768
SHA25696b1b067dd084b14eab6837848a28b5236c302918ba433b098d61faf5c2af610
SHA51204d3af4e19cfd907576cec64b723a787073e71170d97e38c4ece36bb8833a674d28400d75e64694b7eff3ffc5d7e9753d30d6d6ef559b627c89d606dced5d976
-
Filesize
2.7MB
MD5c576286886fb447a9d57ac1e3c90d9b8
SHA1e75036bf619ccdd7b1c465691bfbd370f25a141f
SHA25667dfa4a16b9fda06d8a05d2286b7bedfdf9a7fe0f5ce9e678233eeb9215a45e1
SHA5125428634d18d2377ef47898c49bbacddb370fdbbbfa6dbd87569e7f6e42cf45a457b3852e699dd2687bdb7d5807d95d75fa1d6f7ce6010ea99f74d90ef79df14e
-
Filesize
797KB
MD54a5ae94735306ce1f8b596b29cccf414
SHA14cffcc7d990a26d9c04a94f70e1b5483f9e5d6ed
SHA2561021c03eceb59a2b06c0fbba923f69e76d5c5be9e752147859d42be24d852d47
SHA512b6a297962896a243a15bf0da50f594d0f3630927c86d8a6026654df177f4907f874a89b1d8ced06cf383f2c0ec52d82f9d3906fb570ffb727e67ae05ba6cd638
-
Filesize
4.6MB
MD5f7bd44ddea55feb9d7ff663ace8db142
SHA114c4c7d466c3201dfc43533ac1179b92729c7a14
SHA256f0c9f20f01c8dde26ec798c5aff2b9e085b21d4692f771e25b214e3b46f5f14f
SHA512b40d872e07dcbdc57f21a6a4228c98744d4ec33449bf821e9d5fb6f1c0dd787f28cb91339321fbd7430fe36bf7be0fdb8a1a7f414cf2126ed7314751a503898a
-
Filesize
2.1MB
MD5610ebbf01f9293e835bad92c8e142ddb
SHA166b7332b2e52f8008f4b59485f771fbea5d7f71b
SHA25662acf5047c7f408dc1b0170471df5bbc3852c11715d30c7dc447cdaaf183a9c1
SHA5122b6b74bb2561148f6d402711c9e8019ca14902c24c61ccfebf3ad243f1a88bd284f6254127040c87c3ef6216a640442213746176b23fad8f30fe75cde9240a86
-
Filesize
1.3MB
MD5ccdce701d069517748939362c3e305b0
SHA1a3a9f6851bd43c372644ccb6f60796505aa6048a
SHA256330edf0ecd72713d91e50d4655d6e2be2d403218a8161d8055ddaaf4fc307769
SHA512c635f2f66d068d015852b4cd9744bda5e7d7e7fe9cf066e1fb5032d346b1e9072f0ff95de067c8b760d9ecb0c329bc82a127754603e1df3030382eaf05b99c54
-
Filesize
978KB
MD5f8689e9dcd03542ce0717d8fc420126d
SHA1489a4805c86b85f26518f2f9035aac93d9037d83
SHA2569c9b1fe48004cbc4e56b7a4ee9f7953d466d04e1fb9d5be9b01ccdb2383def2c
SHA512017bc57a10637d2730a0d13dba53e471be31d61a32dd23f74215399bdf9e39ee8c1ff8714152c3fea2d123af51901fa42e067b33672dda4e9e649cad20a1bf64
-
Filesize
932KB
MD575a686e07568c4b8f45938453ce41bf9
SHA165b37680ba556ec685bcc566b76fa1fff3318815
SHA25679f6d3e9c709771397fe91067886b715eb4b7b8e15c270ed3ce3245bb08528f9
SHA512cb1f4a32e44a3079734270e6cbf4d88b84570b875bcd27ccee606c6546e40fbd96c75d652a0ace5d21c399543c6bf469244eccc94e459168d57a3fa7b40fc46e
-
Filesize
1.3MB
MD5c91efbe70bcf6e6ab27ead1eacfb2aed
SHA1e17e33ce05ab593309284abdb5ef6cda78cbc46e
SHA2560d191f66d2c53188a9e32186a96f6963945999245e8f343ea9145c1d79ce9485
SHA512924070091cefbe2da7fd521ad5651cc8520c55b6f1cd683da50a921a489133fd3702aef2097310efdf05373f6b302d853cf691dfb0419b97c407febae1a04188
-
Filesize
1.5MB
MD5230dbf6f7c86a439dcbd6e33884e215e
SHA1dc7b84ec737c0b43bb9b87941528a245fcef4a3f
SHA256bf8daef3f769b628f473010ad0c48303126c8f852970fb3464c95339b9c5cb37
SHA512068210af07bf03d0818a4a0e333872e3ac79e6a1d41ee94679dd7afe9327cf5d6a8fd8c06f12686719894d2e8e2ca9e47aeb61b47c06fe2e233d960563aa2c0a
-
Filesize
1.7MB
MD597efba296af37014ff3aac114526380c
SHA1ac80dc05dc7da24ca04bc26674df36a238e39d6d
SHA25606afb74b30145d64722cbc3677dcf8c0e262f742be5fabb75739e8f9d5b4096d
SHA51297d13b5b96fc06928d5ffde4cab9704ff531c85c5992e2e4b1bedf61ba903f79e346287d60c0007d4d7c70ffd8748c6fc50acf37c1f490e1cf5f7c3945c0f1ea
-
Filesize
1.2MB
MD51440c46fb43acc40d97d158e26bc8fe0
SHA135efd35eb198c12dfd7b179c3fb26917de78b628
SHA256bcff342977d45520aafb85662e56a865fe0e3962a1839b1491dcb0ad1114e3f5
SHA512e494a76ec96bcc0ca2847b41a44b1ea87ca7fdf8ae01dee95401349706fa39cd6f256f8b71497c1e391b397765f7c3380d4497368d68823dbcd85cb5bc06ce70
-
Filesize
700KB
MD5cda3c46afebee1459d40aedf5a9c2bce
SHA1c4501c07821e7036f1f1252dbd0e713ef0000c55
SHA256870af49d0987a236700c067942f898532bddf8e3a93c3d0d283fce33628f6fec
SHA512b4990461971f208496282e309f44b2d7cd5e8cffd15e23b7872d80ceca278b63a286543bb4f16660570b3c8ba4646aa4202c32ad3471e6f4ac0692c83b14780f
-
Filesize
623KB
MD5310ecd35641978b91b6a2da276333543
SHA18ec283f187402163bd936dde8d1abfe1f5b4cbd0
SHA256a73ac7fe63214b9477af2df528019b14dbb9884f6478b74d98ff44d6217a4e4c
SHA512c5487ac59e99c586ecfb560f747533c5c93642da25d9375cb1d75a885782077e4281c1f28956dc708f4c7715b712495ae5acdb9a969647e740d5fc9fbd0eda33
-
Filesize
572KB
MD5446b984bd26c3a8073b803ed8e5f2d1d
SHA1acebb8ecb844f58cb222d930a362e251a5ad8ce7
SHA256a1c35622799d524ab9a5bbbdccb4c0d5889321f53290d88be6569b3db2ed7988
SHA512a96dd0cc5962121365516a8b07a0508f29fbccfd3c885c2e2e8b4c7eeeb8d9ce3afcaccf2577d5f7abd05a02a8326cb04020027663e52e287ac5332503df49d1
-
Filesize
2.1MB
MD5f841108307481b37cde472ced0986c0e
SHA16827fa3a011017c7b9051397d00840d85b266a8a
SHA25698ebd6f6e5818bb03e7f81315179832f8b85b89046489dbff8561bc4743e3fc9
SHA512db60a3226356c983c4eda387627a7faaae3207be63417612ca36a945512b19a53dde39f394227c1c4a00bd683201dffe4e865de875dfb9b1bf3e14fa17aa176a
-
Filesize
2.4MB
-
Filesize
8KB
-
Filesize
2.4MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.1MB
-
Filesize
4KB
-
Filesize
4.1MB