expiro | 41bd9b5145a70dc920a7da9acd00522787a3a35ab5152756040f463d4c4e6695

General

Target

JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
Size

883KB
MD5

6944912b96155c2c7c19cc7d1b1f4c00
SHA1

ed75d65f2a0a37c7252d35a6fe6c241c63540da3
SHA256

41bd9b5145a70dc920a7da9acd00522787a3a35ab5152756040f463d4c4e6695
SHA512

b70615e81dd1219760233deddec6795f72ea393d3fa61435388046494b3be667861ad117aa2d86fbeaa460874528ef89fb77d24aa27edb8fdba1f9d683325e93
SSDEEP

24576:VDkjbaqfrV8t+CTuxc637p29VcJzN+xICJz9OEk4:VCXf4rT297pJJ8NJAl

Score

10^/10

expiro backdoor discovery

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2140-7-0x0000000000400000-0x0000000000614000-memory.dmp	family_expiro1
behavioral1/memory/592-36-0x0000000010000000-0x00000000101D6000-memory.dmp	family_expiro1
behavioral1/memory/2140-49-0x0000000000400000-0x0000000000614000-memory.dmp	family_expiro1

Executes dropped EXE 3 IoCs

pid	Process
592	mscorsvw.exe
476	Process not Found
2808	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
476	Process not Found

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	\??\c:\windows\system32\filllnbb.tmp	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	\??\c:\windows\SysWOW64\bbkefppb.tmp	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\bmdbbble.tmp	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	C:\Windows\_bmp23_.bm_	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\elompghc.tmp	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\oehlkajl.tmp	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2140	JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6944912b96155c2c7c19cc7d1b1f4c00.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:592

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ad15a45ce1d217bda63335fffb76dea5

SHA1
67652451e0dfed61bb79b0d85ad1f3fb5f8d7696

SHA256
c34a595224d35dc7cfdc3225c1792c9a0a7e5a6dab2a445e75f75ed8365d0a09

SHA512
3a3acd320045a47bc90bd9058a18569df180feb8e5ca1cc6bec9b333347b9030055907abe13a31b2b4d3ae28849481ba2d2536481225c63bd2fd4e1edb0a1d96

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
641KB

MD5
5ffd3e037ae261736a072beb5b9efa19

SHA1
fda9cda71e26180d183661b02a06a9148ee06c60

SHA256
a5f63ea5f41a9a90e5476a7cce0b348d3c70c0234fc1c6508023d301f7c09c6d

SHA512
0b6bbf638469016f22c1cf31d338a451dee8f079806bf1fa1b65b4d56d093e8a286338b8f327e5f29d1dde9c88b64e606aa788d80e4feb97d7625b7ccf89bb32

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4d610935a6aa0b10d6169aecc471afe7

SHA1
4c69bd11a58a9344669a8e2a8c32cd2bde2d34fb

SHA256
54cc7fa2d76a7dfa8bff9452acc0cfc95e8a152b89a51b14dbdf262590e9a59f

SHA512
17e326f79499c2ef8c77aa51af075fe5c8495de13a6e3a303123c9deeada975186ebcf755e01bedaecbb50e8d96881318fb01f566d1b9e07f38b9855d0bef0ee

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
664KB

MD5
28d25226ceaf7b086552a484b877949b

SHA1
9b9ab2cb494f0b01d4b648cea82dac1a0206524e

SHA256
fc84f887087c165733da0e901ee3d59089c61b3a8c99fa4da4aeaa1a9de64d57

SHA512
b4d423bc5fb4761d70fd57e0a7a881c2636ba664653d32319cb46cb49e0ddfa6498434d5005211126172dda56b8d2abbbbf93bf5698dda0543ee5ff2d5388738

Download Submit
memory/592-28-0x0000000010000000-0x00000000101D6000-memory.dmp

Filesize
1.8MB

Download
memory/592-29-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/592-36-0x0000000010000000-0x00000000101D6000-memory.dmp

Filesize
1.8MB

Download
memory/2140-0-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2140-8-0x0000000001320000-0x0000000001534000-memory.dmp

Filesize
2.1MB

Download
memory/2140-7-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2140-3-0x0000000001320000-0x0000000001534000-memory.dmp

Filesize
2.1MB

Download
memory/2140-9-0x0000000001320000-0x0000000001534000-memory.dmp

Filesize
2.1MB

Download
memory/2140-2-0x0000000001320000-0x0000000001534000-memory.dmp

Filesize
2.1MB

Download
memory/2140-49-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2140-1-0x0000000001320000-0x0000000001534000-memory.dmp

Filesize
2.1MB

Download
memory/2808-44-0x0000000010000000-0x000000001020B000-memory.dmp

Filesize
2.0MB

Download
memory/2808-45-0x0000000010000000-0x000000001020B000-memory.dmp

Filesize
2.0MB

Download
memory/2808-53-0x0000000010000000-0x000000001020B000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing