Overview

overview

10

Static

static

3

JaffaCakes...10.exe

windows7-x64

10

JaffaCakes...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_69256e531833a416dcf7b847b78d8c10.exe

  • Size

    635KB

  • MD5

    69256e531833a416dcf7b847b78d8c10

  • SHA1

    6474a416074fd6923c9e5a8b19465b6a6b60fc5a

  • SHA256

    7ef40c1bb93c82220bf7a249add169d64d4a4c8b4f1b6fcb28904da8274ae8a1

  • SHA512

    aa4d896166a93c5994283bdb1cc1058dbbd9c9a6c8d5331f178f8565c82d5d64b812a823f7734612fa1ee64297cc02552133b3777a4a2e193226b55da354db3f

  • SSDEEP

    12288:WfjA+q11y6lRyljHViVHMctOitidSG4um411rW6V:C27l4lzYcitidSG4umw1q

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookAW 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69256e531833a416dcf7b847b78d8c10.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69256e531833a416dcf7b847b78d8c10.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookAW
    PID:4416
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3844
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:1440
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4976
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:3980
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:4516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.0MB

    MD5

    b3cee11b89ab9ba55242674bbf281679

    SHA1

    e713af8d4cb37c7a8060319004b798e464231383

    SHA256

    c7b1ac06391d0a8392dd190e6bd6e4302becfdc0838bca40d2137f8d96f26f68

    SHA512

    a341c35ae61bca6038709a33d734e57b9af75b5aee194af9ccf78732c3ca5f33a86bf63a9817da9e8a57b37268e5ea3736e1cf60938eca3dc811787e5dffce93

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    723KB

    MD5

    56f26a1c4dd607cc25e214e93b798ee8

    SHA1

    68cb1bcb63de7d402c15378a6d68215af1fdeb81

    SHA256

    548d32339f4ee24f50c86b96ed4e30e06f19d428fa45e007cb56d6f52f1c0671

    SHA512

    c5f92b2bd79b08127844f6c8c39430e48d2cb6e1f5b960c0b29e99e7f02aba592b3a74c6ab6732328d24f50a75c4395888bca65caa3d7b24319bc044630ac141

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    740KB

    MD5

    21a29affeb3b738a79e0ad1ee610efd1

    SHA1

    1d66bcb982f15352d28e383a9eb9bb5f769899fd

    SHA256

    d0c7c63313c9a404aca2e99a37ce2d8c1a5ac625539490f6a3d780c1e327b234

    SHA512

    7f57512b66a1f7382026eabbf2bf4b73a9643e580410406645e1fc46dbc1eb995694cdf3d9b3db24892b48bc0d5f078cd2aea82924853f8327660c18dc9758ff

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir
    Filesize

    4.5MB

    MD5

    390f373a200c40c25cbae27545ac256d

    SHA1

    11de4011be4819452b273777d1b556aa8985c430

    SHA256

    553b14d186a1563283ab4bd762c6944b1f1a95508f1db77beaabeeba5cacd38c

    SHA512

    02ae9a129876614f2c7f270d0baea3ccd090cb1de0d61eeb9728dbbb5b7f7eb16e4bf5438188e6c363af6926c39800f3837bb43f936a37c2ed6673c27f368485

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    26a2b4b9b75877c8131cd87048707643

    SHA1

    97e248bc61e65b8e404e9d052d138a8b22d75b50

    SHA256

    3175257396ead324d41e0984c828a1a2038f8042f4ad3f3442869e8d0d528574

    SHA512

    fc4eb6d734298837b53d865b0f4cc7991315ae4343493899cc31d1f67024f80952cb695211ae87b6db0dae1772aeafb2a4dc692d1f1f5590714abb711418bd1e

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    86fef35a0477d716949da458a5ca2acd

    SHA1

    1b4f763f775e0818e0e1a7109197b550c8cbd9ae

    SHA256

    4cc7118c063b938886f2dfb892746933d7227a928a28c40f2c45ffbf00d95d14

    SHA512

    1e4c1abd1afca80b334d5d518fa65e6b923965dcca5581d5958261e7d0d4b61c318606154cc1de0e0449dc8fe9bbae21bcb33aaf9e7c34587a8dbcd241494b13

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    923KB

    MD5

    2e1d1e3a487232e1b1a6453d284097bc

    SHA1

    d14d6352048d855ee0a03d2006a2b13ab95b7dcd

    SHA256

    994fc9800cc48255ffe10e6b6d89e16e217ae986f47c4268c1aa7decb0961436

    SHA512

    df2ff810f14d4660e8636f1513606bca6d3f616f23bd25303fc5dcc1634f77104e621656dff035bb8fe813a4c4f16d23068b79a02bd0f8927333a93e94dfa914

    Download Submit

  • C:\Windows\System32\Appvclient.vir
    Filesize

    1.2MB

    MD5

    372b1a5b4c28133cca9e3ac1f3f9e0a0

    SHA1

    f7b6f1525ba3c282d09263863e45b8595912025c

    SHA256

    5b490c2d37f425ac15860df87f1a2a30000cddf0b46620e17ff159a88e9a3daf

    SHA512

    c6866c94767d2f353136922ebc3c1abe0e454a1908002f7decea1095b0c7b86802f4f20d1eb9fecc3165c98eb1ddc93d9e9c150d6e1bf6308353d8edc894cf7f

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    874KB

    MD5

    6265f919af316b2c3337999c5980ff21

    SHA1

    d512dc7f651691e132a33396ff9082b8bb3375b6

    SHA256

    b1c9ad90c0b43a38b9e304601541ee5ccaabf131d7b80df549b2e10a0423aa77

    SHA512

    44f54133e6ae0d5111fe8f4755491c466135392b2215ac66db8104e0bf10685871f8475f46730db09f7e1bec2f6348a79e9823c2f31e0ec60d5b8e915264221b

    Download Submit

  • memory/1440-28-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1440-160-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1440-29-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1440-159-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1440-120-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1440-119-0x0000000140000000-0x0000000140365000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3844-158-0x0000000140000000-0x000000014036E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3844-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3844-118-0x0000000140000000-0x000000014036E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3844-20-0x0000000140000000-0x000000014036E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3980-157-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3980-63-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3980-62-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3980-171-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4416-0-0x0000000001000000-0x00000000011CB000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4416-2-0x0000000001000000-0x00000000011CB000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4416-1-0x0000000001008000-0x0000000001009000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4516-75-0x0000000140000000-0x000000014023C000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4516-177-0x0000000140000000-0x000000014023C000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4976-59-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4976-60-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4976-37-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4976-36-0x0000000140000000-0x0000000140209000-memory.dmp

    Filesize

    2.0MB

    Download