expiro | 5483834382781507cda0a37caa8ee98a0b48166d7db5dc040bfcc19c41212628

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
Size

406KB
MD5

657e840c027a6c8eaf958cee20ebaf2d
SHA1

eec553924c9cae436a0170b2d3cbf9d5321242c0
SHA256

5483834382781507cda0a37caa8ee98a0b48166d7db5dc040bfcc19c41212628
SHA512

4e7231d37805c3a1df853cb71b75c4e9705db2857859c6bc22afd2d04343473e70be0ff9a5707ab3ee3cca09469260c116deef2272a5c90db35482787484eadd
SSDEEP

12288:dvqlqSrzEAupLiPuSrN0rMaAg74Z/R2/6LM/5OPOOYp+Bb:JsqSroAupL8uSrOrMXfbPOOC+B

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1952-2-0x0000000001000000-0x0000000001186000-memory.dmp	family_expiro1
behavioral1/memory/2140-27-0x0000000010000000-0x0000000010161000-memory.dmp	family_expiro1
behavioral1/memory/2248-67-0x000000002E000000-0x000000002E177000-memory.dmp	family_expiro1

Executes dropped EXE 3 IoCs

pid	Process
2140	mscorsvw.exe
1644	mscorsvw.exe
2248	OSE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\W:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\K:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\S:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\X:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\I:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\R:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\P:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\E:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\U:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\J:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\M:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\Q:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\Z:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\L:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\N:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\O:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\V:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\Y:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\G:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\H:	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3FC7266A-BFEB-409C-BBBB-D6751EEC4BB9}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3FC7266A-BFEB-409C-BBBB-D6751EEC4BB9}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE
2248	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1952	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	OSE.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1952	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
1952	JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_657e840c027a6c8eaf958cee20ebaf2d.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
336KB

MD5
7b20219cb99a6690b228af9f23567313

SHA1
edbadfbfee8f68a75eff2d2a8a5119ef9f83a54f

SHA256
a4dceb4d2f19a87d3623f16d6437e4a1f539a17c56894b3562a55c59d8a1cd76

SHA512
c6db8cf11add78bd1f65a7d609f29875cc3c8c2bdc928a5598e24f32cbf1f5ba950e55d1cdee72efe791ae78611f9feb1cc188f4c0c392550afb7923df915f23

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
4bfd6f6d9710c8ecb950a0dd4b910073

SHA1
61572fc28fad621c6eb471b669437628c180b14d

SHA256
d639933800fd06d55803eeed236d42cc22fb1ad76dbc0f11a0e9b2db466a3608

SHA512
21bedca862a32a9572a34a1e2002920bbb0b7eddabc0d61f080a49b858fd1d1f7821e378e6c472655b690184c1df360d0fcc41af334591ec39ba3470b9ffb006

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
336KB

MD5
7f8105844082d85f958b946987bfc491

SHA1
6d7eb0b9ad95781b7df88bdd1c99fb9ecdb99428

SHA256
87369fe0bcce404ca5b0f57abf713cc643edfdf4dad3fba381a3f46436f1cac1

SHA512
a63c672c740bb805f09aad008fa4b549d18dd8a4a4f92fab27be14aee7ff60689a632d7309a57ede91a9f0bdb97d8fe3ca5fb6cd09ff38ee2c99c40d4a30957f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
255KB

MD5
a9a58a2c20ab0a65f0f6a95c43d5af96

SHA1
8247a0f1d8b101a6985ae459b66b00b73469195b

SHA256
a227c0adad758512e0ec690f40faf590c8d53d132b68ad833e618a5821b44904

SHA512
327524d92ef8dd535c81fb1a5a4757dfc48ed65e3babb1d164514b41241e7e212b1b0d2cf7173ae4d5fa7c9d76540a12cae1cf0512dc86a4e1a7a34c7a3c05b0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
39594ebf4e3a4e86d7a91646c51c8ab2

SHA1
5a10c26d475851e0f665e9aa47dabc8060f4c783

SHA256
7e11887d6b2c186eaccc303ec3e488dddcdef8d475989fb2de59a8296398521e

SHA512
f1983c0179f5a8cbf5bfdcc2b90ba391387a62761f35e27ba9714c6a735216970aa9b3b619671e77d3e2957881dbac776a5d8c5ad48f5e112cb7ef8fcc410a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
286KB

MD5
98cfa01965cc88447af5c00ba953e81e

SHA1
24b9677d89301df8ace922256150966d44f11892

SHA256
2b871d24a13459e829f42da34d3eb00392e0baa3201835c2ff452ea95b21a3af

SHA512
b67485d7fce1ef0c4b5ad51f11a891f3095edd4dce22624a3dff120357887fac6cb42951911d61a3b546a82e88400b65690db8c8e262abc74be8ae73cdaedc79

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
0f0e6c9f3d3039ca458ce7e42ccc1c5a

SHA1
71a4e8f00b466ab5a402a5147eb2c3d771f73ae9

SHA256
9a117f2f4ca9af1c98f5f74c5391b0ca14063f048d3ecd56bc69e8f3bfc86946

SHA512
c70a826fc7dec6ddd0bf1ac9f6797afbeb9515feb1824b86a94e9a3eba26b9867d0879b7e1b5be41eeed7001255173a872cb6f464dd24ec670168ef066a36724

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
614KB

MD5
af431825feda030cad1573bb6f3f08ef

SHA1
d3c33e30394f81084da4d7558e4702904925120d

SHA256
7e7752d35e08874cebbf9b43c6a95dd71f9352ea819bfce26f060df7727f625a

SHA512
db27c37e5cc5daa84a9d7fa141edc99b265592b26b00c5d23cc0736c97f1127cd9aa1c1222f1f11585cb692d1abee1aefab8acfaf8c0595fbc751cbeffbadece

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
216KB

MD5
61074e48b661bc8ac4aa06d6361c8d46

SHA1
b5800256f7225c4cf854ebead20eb7a97098ea67

SHA256
1a7e5de3d50d75303003889d420bea0e615dff7a55ea622600f9cbe0cc361a5a

SHA512
60745fe30fe7615c5d781bb384cd0fab607e8053cbc84058835982d6ac6b74447e920f7ea5cc53e7715f4e745d2e6f4fad89fff4f0ef0126ca7ef3e50f7c78fd

Download Submit
memory/1644-25-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1952-0-0x0000000001000000-0x0000000001186000-memory.dmp

Filesize
1.5MB

Download
memory/1952-2-0x0000000001000000-0x0000000001186000-memory.dmp

Filesize
1.5MB

Download
memory/1952-1-0x000000000101A000-0x000000000101B000-memory.dmp

Filesize
4KB

Download
memory/2140-13-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2140-27-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2140-14-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2248-67-0x000000002E000000-0x000000002E177000-memory.dmp

Filesize
1.5MB

Download
memory/2248-46-0x000000002E013000-0x000000002E015000-memory.dmp

Filesize
8KB

Download
memory/2248-45-0x000000002E000000-0x000000002E177000-memory.dmp

Filesize
1.5MB

Download