Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...90.exe

windows7-x64

10

JaffaCakes...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe

  • Size

    674KB

  • MD5

    69ed8d950ab11568faf970c77050ad90

  • SHA1

    94590af7ceeda99dc57e82f8e31c4078e966d530

  • SHA256

    a3a0ad90fa7f0dee991112e3e30a8f48264c6ca2030ca7e8d5da9144936796f7

  • SHA512

    ffa06f77f0707e5ef6a0ec0b85c4166066c7167e9c4a0d5bfed627704a0da308e5316b36c3b9c0cdf1862bc00dbada8006e7b009f5baa557b5311cf3e260f21d

  • SSDEEP

    12288:Io8IJt524U/eCC02cSpVAqA+lOBsuVdC5D/ZLx2KXa84svzvF6TU:Tn524fAWlOYRzaDczt6T

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 59 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69ed8d950ab11568faf970c77050ad90.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3980
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1472
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3648
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:2184
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:3632
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:2388
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:3224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    98d15296461d2dc7698b8e99c840b881

    SHA1

    91758a0e85c93ca499385e041982b04712434866

    SHA256

    b2f07ec95f287ecb75db7ad358d99fe22f486eede1ea494f470e9c5ff3c463fe

    SHA512

    1a5ceda8fa4265d9d39b368dad6653c9ba16abd7c8a5d614e83ec08672ccf7808b0f877133a56899088c89fed3e74cc21aee393d5d87946bc67eedff345d014e

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    781KB

    MD5

    d068eac7fc60e3fb6f3063fb0564a90a

    SHA1

    7a7dc754b5cfcbdb67bc34952a712038ec58c9a8

    SHA256

    3830ad857c838d493228ad762548c089b9b7ff8198c0bed6aef87511e292ed76

    SHA512

    dacb56a2f92608b511391aa7b421e94eab57f3644ce058d58cbe500f15fd0421f478d03c2ce7c145efeed38d1b56788c81810607b086664535578d16ecd73814

    Download Submit

  • C:\Program Files\7-Zip\ncjookla.tmp
    Filesize

    1.1MB

    MD5

    a6ddedfbf3a2987238c5a3d429505ac1

    SHA1

    1878780667488e5ab70b51f6ab21d131c9098623

    SHA256

    41e630bbcd79bbdaa4db643ebdf394c6c744f2a2aea716ff4292cc8331e6d2a8

    SHA512

    9c54622d44fb67bd991ca62816511d269b775013e4d268166a343eec1837a483e53f4215934c17089a34bb1969f1293feaa96f79611b8b11b8f818d3d38eea2d

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    797KB

    MD5

    4b35e00bc100b47c6c4063f4bac14b51

    SHA1

    d7bec5d164eba6ac21fdaff5f2f9c89240b150ec

    SHA256

    4730c36dbf73063403c996fc7067a70fe87b509d08c2abee5ed160ce5a630796

    SHA512

    19dc16eb1ed014a7a5dfd098eca866cc9aa460665cb9475a766fefd71629a9d4e751410fcda85b9171039b90f197d1870a5c4de9f6ceb0018fec03499a5f9fe1

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    09379951d2e90abbf7d1d12cddc46117

    SHA1

    d026538cae4617cc9a340d9618efcf5205a8cb8f

    SHA256

    d0d1bf43a94a929d83713f94844169495548e76bc8f5d188be535e8ea6b4ad37

    SHA512

    3e0c5b27e4cbe5a33f1dbc0014fe1f666d1ad9bfdec8dabe03d1fc779b675bbcf5eeb8869dc34acccdae2f656f38875a33ea0529944590fcdda27f8656344b72

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    932KB

    MD5

    67958bf0dc1f5fd8332db0ee897b8c39

    SHA1

    14381baf5e7c75860597c50ef75124f28e60eb95

    SHA256

    5aed964117c1e4f3af75a6c13f0a4b2f42137f96c00aa3433469ee2cf70afad0

    SHA512

    90d0672e17eb58bde6ac95ba9e6d731bb536af2891b6dbedd4fe82ab5186fac73e1ae93311ec34aa59fd1063a2840ca5c7e3b8f213568c7b1aeef6450522aaba

    Download Submit

  • C:\Windows\System32\kaohfbde.tmp
    Filesize

    1.3MB

    MD5

    7f361e9e17abaf09381468b6c5cc04f6

    SHA1

    e86d4241d75937844c4296ecd6b5f2a798923004

    SHA256

    242e19fdd73d95264410da15fdbd92ae6199515a104424d98edc171ea6ddd59d

    SHA512

    95b9ea41e1567ee657d748a5db0d8451fd55bd9b0b223ef36001cdcfe38b0b1c68dac51d45a77212dc9c7580f38ef0c94bc7772fc982762ff878ef432c93f9e7

    Download Submit

  • C:\Windows\servicing\TrustedInstaller.exe
    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    Download Submit

  • \??\c:\program files\windows media player\wmpnetwk.exe
    Filesize

    1.5MB

    MD5

    4b7b8d9c4de64115a99d1f5ca98ee10d

    SHA1

    383f40adb2769ddeaa3f7e67caaa7337e1bfbe9a

    SHA256

    0d4aa0465e6d445cbedd985e6f7b27d5f4b53ac19100706cfaaa894d1edac256

    SHA512

    3e339b53ebed9e2b5d2e6779cf2c1c9bb7fd700ee64803e67f6977cad2d2a87d4b89032a073d393121c0b7fb70a054e79043685cfbbc942f22cc360f353b3bc1

    Download Submit

  • \??\c:\windows\system32\Agentservice.exe
    Filesize

    1.7MB

    MD5

    d7d89aafd194681b79f4fef63ac8496b

    SHA1

    87007694d88771450bf486825036dfb652328f26

    SHA256

    e01bdbbca3e948b12443cf73d4a7d527e2dd01b31f13126bae23e884d3bbac97

    SHA512

    007cfa68e570d15492ebf249907c0c474742c202b74676e96a74b7cb6ce27688e08a8f9a36dd34fc3b21fc42b79345cd9a8d660bba720a4dc9dac156544c9d5f

    Download Submit

  • \??\c:\windows\system32\fxssvc.exe
    Filesize

    1.2MB

    MD5

    7633d9c29a1fa0930e60ea4a45c29bca

    SHA1

    74ab8c250f68cbbbf0e74e93887283459cfd394d

    SHA256

    3febf179e8e462252326fdb79851b16dbccebaf5988f0dc48a718dcf0414f4f6

    SHA512

    46c6761fc2307aa0f57cbdf5c783f56824e0a5396563971c9d211ae97a0d9469d85dcd53cff0bf0b418339cad2cafbb6d05c79391e1272bad6fe10e6164eb982

    Download Submit

  • \??\c:\windows\system32\msdtc.exe
    Filesize

    700KB

    MD5

    3cd7df682f5ee9e9ed3c9d801b4e64ae

    SHA1

    a28cf99e7907461ce2b47985f5e2da65e68968af

    SHA256

    70ac9405870f4d51525b6819af5e6c1d885fdbeab7f93297cfe005914da49c70

    SHA512

    61b9ba7abcd96466a9360acb3b8f3fa42a67f16a3baf50c7096fe8ee010f32e39dd289f1290d575bb9dacdd8ac9daabaa474bb0dffea4511acd17441384ec7e9

    Download Submit

  • \??\c:\windows\system32\msiexec.exe
    Filesize

    623KB

    MD5

    e6ee19745d2b4050818415769add9069

    SHA1

    252034b56169c8a459efc36fd743e132f860d724

    SHA256

    52d5df9c916c0b9fd92972b86729b762d988bf997e91fda9f4a170fbce4d4461

    SHA512

    30250aa37409f59566ea5538577362eabe73f9d9ade64735fd55022801b9913a957fd043dc5b3309be431b08204d4581839832909015e5ebb923a5ee4e1182b2

    Download Submit

  • \??\c:\windows\system32\snmptrap.exe
    Filesize

    572KB

    MD5

    82f0253b0806626b1feebaabc31a9f1f

    SHA1

    0523c602db27aba4e4355da2d97a69b5afddfec7

    SHA256

    fb9344fdc7f15ec887a3888ed3abc1700abe51b61cbf80380cfafca99cbe0afa

    SHA512

    04a9edb577d53e1c5caf50ed2d11c494f54485b18facadf13f4a0111a06b9d7920e6b64817b0580ed905bf397edccce681d477127c62b79e7306580f7070956e

    Download Submit

  • \??\c:\windows\system32\wbengine.exe
    Filesize

    2.1MB

    MD5

    2d1ab002ab725d49ceaa6ef239272cba

    SHA1

    4c4df39f65ef1c71183aba3a50e2084036e491c2

    SHA256

    e1ba358e731aa1f0b9a9a74a62cdb4effe444775449900b5115df3a2479ce13d

    SHA512

    69ae0ce55ba8ccbcc8db5f0e9008d424418e561aeecd95f2975fe4c820d2ef3427395a174a4080c4005de68be9ab17e55777ffeefbd92707e9395aeec64d2fb7

    Download Submit

  • memory/1472-112-0x0000000140000000-0x0000000140418000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1472-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1472-20-0x0000000140000000-0x0000000140418000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2184-55-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2184-36-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2184-56-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2184-37-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2388-70-0x0000000140000000-0x00000001402E6000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2388-124-0x0000000140000000-0x00000001402E6000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3632-123-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3632-57-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3648-28-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3648-29-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3648-113-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3980-111-0x0000000100000000-0x0000000100293000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3980-0-0x0000000100000000-0x0000000100293000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3980-2-0x0000000100000000-0x0000000100293000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3980-1-0x0000000100001000-0x0000000100002000-memory.dmp

    Filesize

    4KB

    Download