Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...10.exe

windows7-x64

10

JaffaCakes...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2025, 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_658468285074d4dba41a9d5598139610.exe

  • Size

    630KB

  • MD5

    658468285074d4dba41a9d5598139610

  • SHA1

    94164266a39d39126885b6ad2e7c8cb6619c6ecc

  • SHA256

    020b23f229e7f0d7dcaf21d106cb4848c15d88ad4c0eaef42dcab0ad9ddb620a

  • SHA512

    9c2e4120806b2efecf6a8fa30406b606ea1d3fe72a36a31f55780cbfb6b362a651f34985be7a9ea94d8c94567f1ce36a050f31e6455adc708161771c59651c4b

  • SSDEEP

    12288:Fo25X5l/zQerKrGE9VzGm/Ab0bWIspaUm5A2SKluFFS8h:K25X5ltGrGE94m7smBiF

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 59 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_658468285074d4dba41a9d5598139610.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_658468285074d4dba41a9d5598139610.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1176
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4484
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2944
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3184
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4432
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1916
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:4020
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:3020
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      2.0MB

      MD5

      8e979bcdf5f545812a9cdd75362680c9

      SHA1

      9b6d5892bf73909880cd59955058bedef8804ef2

      SHA256

      86464ec35291af9fde45ddc88f329b07937b5b3b54ab442882f35aa751b10a46

      SHA512

      f31a7ba2369a6bbd82d97d52cb368b053b563543ca6a67458802e4dfcb35c34d30e5b5496e504410e7490f31bd6e3cd9d6655eacb7ceb228abf937cc63d5a9dd

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      723KB

      MD5

      c2b85f3900194b233a24f16e54f9286a

      SHA1

      b6aaa86b1ae23fb40e5a7d0662779e6ea5976c0a

      SHA256

      dc0d75022ce15a13d7f68383361631216cc864074b192253c879fc1edc869ca5

      SHA512

      a40cc7954ec278fd112b214235f1ad16d6473d826754c00414e0718952bf71845dd470aa57d1947135efa889cb5f39d5c51642583c8d28eb23bf58615f587a85

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      740KB

      MD5

      1ee3cb2763dacad8e829a29e5420d86e

      SHA1

      e39d2815f3d4b3f3bcc186d2e11e98f08e9341f3

      SHA256

      cc4a200bf6d05a3f326e6018272426f7d8405eb090403992bfce5b841e4b4b7b

      SHA512

      3b6c45c06e6a0ea7675dcfd20684399d380808d9bf183530d9a82956574eb53cfe9ffdac15b5180ecdefe2fce189e2d6f3361295821af893311320a075957390

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir
      Filesize

      4.5MB

      MD5

      fe4816bacade24cd812dcc19ee156ff9

      SHA1

      1bb853c61cd9cc0d327ced79fce8d999c3fc2345

      SHA256

      d085c5fd6942bf951de6739b675e9caba6a9688c4689263100d9075ce7274511

      SHA512

      09969e2699894833a632e41e250c6428a41c23f1dbdbe0ac25c869df322f6b4ab02317f43fef2721fab4bd83dd9f7396a5f264bfe3351d9ed51a1f8b784d5c7b

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.1MB

      MD5

      8adc2bbceda8a49c40dabcbe8b497814

      SHA1

      099d4af865e9a70d8e63f0da31ab6d82df2a95c9

      SHA256

      2da6b60ffdb1f42c1add20d3a111aca88d32fe0304aee3c6eb39333124cc78e7

      SHA512

      63e361755cfe3600436495c8332a6ba725c5ae800ef2c3859959a4d6b5e691ccddaecd2cdb162ff0b2c77630cd02e11f5fa331d8c52b2debc3f173016764b45d

      Download Submit

    • C:\Program Files\Internet Explorer\iexplore.exe
      Filesize

      1.3MB

      MD5

      d2508b24e723fa484811e9ea26baf96e

      SHA1

      c27b1348574986054e2d45e131983ae04aa2063d

      SHA256

      8419f87ade5bde15fd1241df2813541362c82a783fd2b03d865847417cfa33a6

      SHA512

      434b48d208f9bd28535e99412569e667b550f4af10a39a0858dc5d9f347effb4e7b810dded8c1a1540c59baf7746e68cd0296a4cc1ef12bded9739cfb61794a9

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      923KB

      MD5

      7c7337b27c077fd84d5652adfd615482

      SHA1

      d73f04c60d5b736c2c7fc0dc29a22436dff1f0ba

      SHA256

      ae4e24d3cf650130f524098890d141e20fdf9473f036ea9461b517405276327a

      SHA512

      0fcc8740932b6c5f71af17884bcdbb75ef1203a9b23b193f13d63c2d84151eb3a41df02395a9f2b6f8ac8123af8442b64812ab48e58752531bd81b6811417763

      Download Submit

    • C:\Windows\System32\Appvclient.vir
      Filesize

      1.2MB

      MD5

      f5456dbdb2a5372cc56a0881a0464590

      SHA1

      4a2a58b8754bfe256a951d884967bbe71f13097e

      SHA256

      04295c976953642f70d482007f9409c213ad7732303dcf99224d4f53ca659a34

      SHA512

      b7aa972d7ef216bc5554e07099c00ab71d36d4cde3ae880d9df56daddad837411a9d84d20cb0cc5e06363b12c910f0ac543dce735c71bd19f6bc09160a33d8b2

      Download Submit

    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      Filesize

      874KB

      MD5

      46c9aa2981797f4a5984c5c7c0936163

      SHA1

      fb4c6c867f4b6af7131cee2f6a72163f63455609

      SHA256

      b32208c62c21635fff98e11029a4c29afc32546b890718f988fdea45c08f401e

      SHA512

      dbb8bf8f8862bcb0b68f6cd5a352ed3a59dcf22cdcdaf4eec2b46bc5b86c73696f67953504876412c966c4090b38f9758756ed965647a5db46afa671795c7701

      Download Submit

    • C:\Windows\servicing\TrustedInstaller.exe
      Filesize

      193KB

      MD5

      805418acd5280e97074bdadca4d95195

      SHA1

      a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

      SHA256

      73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

      SHA512

      630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

      Download Submit

    • memory/1176-2-0x0000000001000000-0x00000000011C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1176-1-0x000000000101D000-0x000000000101E000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1176-0-0x0000000001000000-0x00000000011C9000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1916-36-0x0000000140000000-0x0000000140209000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-58-0x0000000140000000-0x0000000140209000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3020-143-0x0000000140000000-0x000000014023C000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3020-73-0x0000000140000000-0x000000014023C000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3184-126-0x0000000140000000-0x000000014036E000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3184-110-0x0000000140000000-0x000000014036E000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3184-20-0x0000000140000000-0x000000014036E000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3184-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4020-60-0x0000000140000000-0x0000000140209000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4020-137-0x0000000140000000-0x0000000140209000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4432-28-0x0000000140000000-0x0000000140365000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4432-124-0x0000000140000000-0x0000000140365000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4432-125-0x0000000140000000-0x0000000140365000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4432-112-0x0000000140000000-0x0000000140365000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4432-111-0x0000000140000000-0x0000000140365000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4432-29-0x0000000140000000-0x0000000140365000-memory.dmp

      Filesize

      3.4MB

      Download