Overview

overview

10

Static

static

3

JaffaCakes...84.exe

windows7-x64

10

JaffaCakes...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_679336e9681bce4babde58d1822cf584.exe

  • Size

    875KB

  • MD5

    679336e9681bce4babde58d1822cf584

  • SHA1

    37018add47ff572ba48adac742fb8dc7272c4832

  • SHA256

    67eb7fd773412f45592e93da44f06960c92a245aae356349dee9171f5ed8bae6

  • SHA512

    160e727989f9c59586961b3c97b2fa90a497efc5c3ce9f7e67365a5f44d3c9fa4986eb589599bb73fba8403242a527aa8d6ee3e93c59296731de67f82ecac4c5

  • SSDEEP

    24576:pQtN/7DSBfWhzn6OZTxJ2L+AH7W7lvgX:pKh7GBfWBn6OZTkH7Qo

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_679336e9681bce4babde58d1822cf584.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_679336e9681bce4babde58d1822cf584.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1796
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4268
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2576
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:4596
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:4476
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:1760
  • C:\Windows\system32\AgentService.exe
    C:\Windows\system32\AgentService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:884
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1060
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.0MB

    MD5

    79dfe87e30cf317725385a84404b459a

    SHA1

    192d454c3c9cb877bf7171a07434e8236f4ca476

    SHA256

    9935181877b080aaf44ad629f078a3972ae29d5b51be4e721777de393326f547

    SHA512

    dd52c001e67668844aa8470ab4f6d7d853adae4cd1c820d17bf663849aab41db1169998fb71c0b9b8d54239f93aff7ebd9b5c51705f5d19c298f2705786db799

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    723KB

    MD5

    38aaa147288eca02b54a3297f0d3a454

    SHA1

    ecb86cfe5caa27e01f372efbcc315012bf9d896f

    SHA256

    f8f7946ac40fdf58eff0663a5770e265af22484d7e0ebb1d398f84f625d9e5af

    SHA512

    fec8f5d728f0fc1b7a7132ccaa7828fd4d308d6c447870d1eb5de6ba3bac277bb286a187d2015388904da4d935de5eedb0ba98938997064afcc91cdada877612

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    740KB

    MD5

    b4501747d5d3706bfe0f52ca677e4bdf

    SHA1

    69a066b99fccfeff59dc48fcb9524c8bc77a830c

    SHA256

    53dcca326ebc03716709327b36fe32c46e3758eda5d71c9bc72df3134cf6cb01

    SHA512

    b0750a3975de08d3b81a4ab2341495098c692a1287e822850ce62abd817d8c87b954b6958ed4b489eab9afbc6b302dfc3964bdf9f749fc406fbddc710fab5abd

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir
    Filesize

    4.5MB

    MD5

    0a8a5aaf2106a50557722378aa35af5c

    SHA1

    e7cdad5ada7ba206a97b7218faf7cb70eec96c0e

    SHA256

    171557cfa8ef1e3037275bdc2c57f5da70d38cb320d7eedf6607215bc3291f95

    SHA512

    49372fc48ffe99ccabc48884fb83ae2d013a11fbdcd2523a3fea21c87d4d0560e55697c9fd61bc6420463407de1ce103a45e9e0cf54b05fcdb7dff23ecf0f66c

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    23b08888cf56d1cf784ff5aa0724aa5e

    SHA1

    c5acc40ace7a6e9559f86b0719e1bbd54aa12f15

    SHA256

    50f97c97c9ed6b0d5e2d0217ba9f0aca81e6cc537919157b0eccb5b046cefe21

    SHA512

    c4f37ca081567576660d6b87d37e72efeee54beb5708c88a0768e90539eb1d0e8238c13898b8b96094b44abeb668686d3eacb3048d8715367e610bc7f034a711

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    e2ff0aefd7d3671435dc63c7f99a956f

    SHA1

    9be45ba1d002c405122eec88c437731a565028cb

    SHA256

    c81ea0ae6fc919e9f3f1c617230f6acede822ce9e7faa4d35343d4fd48b2f923

    SHA512

    ce4e5a41fd368c7ddeac573089b8a40a51d55be9d50ac9bc5491a98c575c5651f7a69456081b3f1b46b93f0ab53f7dbf4f9d2de7a3d71185e624ec4dadba5a98

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    919KB

    MD5

    896b188b09c3a2b361ece2530d6e16a3

    SHA1

    47aaba47c74c7da5d78a6b6cbc38b1f8c33ce869

    SHA256

    72311bff8d33b6fc5517fc042fc793e98b8c0a41f95a510be52729fd6ddf925d

    SHA512

    e3169c8fde79dabd1144b4e5bfaff2cf65535b577955db92ae4e123ecd5ee4e786e07e864541eefda2b319d33ff9d8e77079875cedd38dba16507783429a20ae

    Download Submit

  • C:\Windows\System32\AgentService.exe
    Filesize

    1.7MB

    MD5

    ec4c7f6b890e2c002de5892572db30d1

    SHA1

    23169e00934b58f7fe26a51153669602055acb99

    SHA256

    2881a446350064ac8c77915521d5dc132c03c26ed324e340c74a3a77ce07a81d

    SHA512

    7da87ef2fca1e32f2fb44733a91914556281d49bd2deced0b84d5fa09ec84c938482f062f502dd4c4f3b32a0c7ca789929563782227d7705234964b5c834788e

    Download Submit

  • C:\Windows\System32\Appvclient.vir
    Filesize

    1.2MB

    MD5

    70544cc3ce58af6e7aa65f81585a4155

    SHA1

    c0616d02dc5d6645d49c1281f45b4a994892a810

    SHA256

    a3483cfb48448bdf204b45ba773d2a5f3fb1eef81d54b086d1351b1119741d8d

    SHA512

    f6d9f6ee0f63ea25da07164c1a6927c8665c803181041b93eb1347a21690f81cd7016ddcbe4c0fe9c0c243fc7f8c6671a9c87385c138c5b008088a4a84a86c5b

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    874KB

    MD5

    f02f0c8eed264d7ff6f5dad6b440fd95

    SHA1

    01b8dbe4c0f8ed9264fec7f32a1ed8ec158d703b

    SHA256

    67e57ff67104605584af5fc17c30cc267b4ab80866b2002be6a9d1df65be4c83

    SHA512

    90af05d34ee0b3b45475f64c63988185f2b2b18c411debe82a5a5d266e5a96c8a0d507d266f9a3b37ecb6d459a991db1b22a08edba79a37693a3afbfc17902ff

    Download Submit

  • C:\Windows\System32\wbengine.exe
    Filesize

    2.0MB

    MD5

    42fa14067b6d5b6def90806e11f5a550

    SHA1

    9b2c30ea7006fe06327dfcce4cc8c42c70b45af9

    SHA256

    fee7df8c68a1dd205e0d99188a76c25b7150feeffda90feef1db8d1dfbe0006b

    SHA512

    57472c01936895bd77f259bd3c3de79ac0ed3e48520bb8ec1fc850c1f66dae755c11932c18c53f40c5927a0953c4af55f1f4eb2b79db8453a7f0be6b2b2bfe12

    Download Submit

  • memory/884-81-0x0000000140000000-0x0000000140300000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/884-87-0x0000000140000000-0x0000000140300000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1060-172-0x0000000140000000-0x0000000140356000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1060-89-0x0000000140000000-0x0000000140356000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1760-171-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1760-169-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1760-153-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1760-73-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1760-74-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1796-0-0x000000004AD00000-0x000000004AF06000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-1-0x000000004AD05000-0x000000004AD06000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-2-0x000000004AD00000-0x000000004AF06000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2576-28-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2576-29-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4268-20-0x0000000140000000-0x0000000140374000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4268-21-0x0000000140000000-0x0000000140374000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4476-59-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4476-142-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4476-170-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4476-60-0x0000000140015000-0x0000000140016000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4596-37-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4596-36-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4980-752-0x0000000140000000-0x0000000140356000-memory.dmp

    Filesize

    3.3MB

    Download