Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...c0.exe

windows7-x64

10

JaffaCakes...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe

  • Size

    684KB

  • MD5

    6c846c3f737167948ae219bcc5bf53c0

  • SHA1

    efcea049f211ec2cd9e18048baf2c8f7f730d931

  • SHA256

    d67bc9c954a176b1efd11a61abbb6c4f2ac9d6f1cd16e16246b15f5cef2b4851

  • SHA512

    fc1122f97138bd36708703b0306a646c65950d383f33ca4197eb05a1c56c9f7f23349e2086466ddb278a4aa504198b01b1214bad6b3fb4170e6613b26599559c

  • SSDEEP

    12288:NcBj7B40qvxUrevFtrh7Xj5qS3ZIIOuPZfSVPP9jCW71D5b6pHJ1:NcBj7B4UevFhh7z5qS3QWfgP171tbKHb

Score
10/10
expirobackdoorcredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1092
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1980
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3984
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:1656
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:4004
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:4972
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    ba12d3f5b60e91a4cc414e4cfa2cd31d

    SHA1

    ff78e42cc92628ec367dacde6dd074deafccb66c

    SHA256

    5c2cba6bc9c3e58dfc80bbc60730db6c5bc926b8e84fee42e2edf81eb48e37df

    SHA512

    e354982a62aab6634715e37d10dbef2e7c0e8d695d18074e1c9a31db8f39b5198d8c23111dbe02a066c07f5f90ce258818648170966d23c91f33cc7456df1a20

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    781KB

    MD5

    8cb7ac0ccddfab9bd4d0aaf27edf87b8

    SHA1

    d8afcf655eb7c805938651b5f7d595e556da44df

    SHA256

    a09f5fa75d1a1aed22ec4abcbef5fa9572f9d7c9ab964a4cc082d6747824ed55

    SHA512

    1c4c4a58d2d6c62ce8cb4057fbb8de5fea0e63a0344a6b1a5d044231d3a8f7025881d479c9c6181d2ea2dad51287ce49494aa0e6a5c61ab34a6da515cbeff046

    Download Submit

  • C:\Program Files\7-Zip\7z.exe
    Filesize

    1.1MB

    MD5

    5a5b148618d4ce0e7fc6f486105c3dc1

    SHA1

    821b669c360b83221a3d74a196c706cfd62c9f7b

    SHA256

    71da885b336e88b38037fb34080db980006e817d3421e88c9252030c8cdbebe3

    SHA512

    803b821a2a55a64bec37c26f8a789b66a06bff64104c19b342a8a5ed283ecfb313baf249165295b024efdd214472f43f20689ebf784a0dc60833ea49e3182aa9

    Download Submit

  • C:\Program Files\7-Zip\7zFM.exe
    Filesize

    1.5MB

    MD5

    c60c5e5861dabad3e961688d163ac14f

    SHA1

    a6cfbc3e621e1f454bad19afc711966d007d6396

    SHA256

    f311845cc9eab86d4caf114bd586f4e0253f3e994c24a8e3988e0a6988b46017

    SHA512

    cec029de52a16cddb4d24c2da99e928664d8520c1a4419733cbd306b1c4cbb8632b7b09c78bb92fd0c2fdafb93d027ed7d28d6371246806387fc2ab9bec3600e

    Download Submit

  • C:\Program Files\7-Zip\7zG.exe
    Filesize

    1.2MB

    MD5

    3fb51bd3163c1db47c64bdd024840924

    SHA1

    169dda33a70fd1a213883064928abf3d0909df2b

    SHA256

    af1f9f7edbefdb6e9469344ae800b1fc6830bc21076db8f30a1e863efd728017

    SHA512

    935bf03820aecf1465e53c7ebd2032c32961afe05c75bdbb1d80023721c04cf6b5ec00ae7fc4197ab2b505a679d13baa6acf6e1cc079f2384bd8c43f744667b3

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
    Filesize

    832KB

    MD5

    928f977b5a6f9425aaec5a22164e601e

    SHA1

    b572c6b5cd2f3f1cb1e792caf20bbc0693456afc

    SHA256

    7be5ba5c23669510627e0fd6ef8189a1a13d7d989ac1712f42f47eba54c6f01a

    SHA512

    75ebc6ddbc6eec39f3f29b032ecf5cceac341d8fea65c559148c63a3e120973318889b59bd31b81762b41f80fda8c73e5a35c8673b76541f043c94e25a336cc6

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
    Filesize

    4.6MB

    MD5

    636ca19a8af75e1f9326d4bd2118df08

    SHA1

    1636eb4b7deb3ada513b619fb93b8dad364f6a5c

    SHA256

    1631a8f52d01a62adc8c3f59d0cc19f7ae1749b32f2661b06cb6efaded79a484

    SHA512

    c0d1f36c94c36ca3cbcf93c795310ec0e8e758886b49a0359278c9a782e0147d9154bedd77bf1a8c8e70175ddbee237274f44c7e63a4b4fbda0c6bb5b5947db3

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
    Filesize

    898KB

    MD5

    faca1c47089afd98ff06c36e0a5b15e0

    SHA1

    00cf42a3a3760d3844f3953278846a50cf60072b

    SHA256

    1f45d6129da5b6a5ae49d3ec6cbc56b7022b82cf4dddb64208f9f9720720a6ac

    SHA512

    c6b03917b688b7ebb61d6df9c652bb2e4875a00d282363dbbbabec0cb51274969895f5f46be78a333334a06f9d1bd59be3a41725cebd7a89b816713a3eed366a

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
    Filesize

    24.0MB

    MD5

    6a519564b10f7936b9eb41341ef545ed

    SHA1

    822bce116c8ccaedeac63bd98a97ddbf6c375f08

    SHA256

    5044457983c503ff1d554fc79ee7b4c850b79ff4e224480bb68e52dbd5c3f382

    SHA512

    d54bf6dee696cb5105241e5ebe6bb2a058e263d0e1b793fc00d25fbe354c2eab10073a42b082e3bd56eb6d15624304b74d22e2737aca27e7b7c13a03f887e896

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
    Filesize

    2.7MB

    MD5

    b4e64dbd34141fb5ee1e0ff902500996

    SHA1

    62a30f5d449d81065cc9bbf216edd42598589a8c

    SHA256

    b17f093eb95a2ce5e0fbb6636d75b88290f71710a16ca0ca094b1396790febed

    SHA512

    92280511bac66b638a9c4127bcf280b852e269dbbc4de9b23a88462ef2509a4bffc03665347e1d890fae7dcbc3c69995a6bd85961f51d8a9bdc2b6c6ad051a88

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    797KB

    MD5

    7ff3236febf0038791403416654a7671

    SHA1

    196da08366bd66f8eb911cbb676e18e7f06be563

    SHA256

    9e794db2e3394e129080761f9eae5a8a1fcac2e44fa8d93fec4bebe76b884034

    SHA512

    54281bdf0e64b0c5cc27230825a37e9e6811027911c3c07ec5458fc60d64b857d05519a642f2123e681bce72db121df530881327a4d8d84b08de33e5fb38bb1f

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp
    Filesize

    4.6MB

    MD5

    986f28fc0463d7bf3e17ea7fc422f0ba

    SHA1

    05bfe6149435308cb9c27ebe80b2b3d29eee5efb

    SHA256

    c7c90b7916fd04b5c9f176390fe9addacbd6b95dc76d395dc94027b25977fc53

    SHA512

    ea54fd1b7ede5354bb9a472c76a0431a2af03e5424e667c19a91ac73e5111da611bb17fd4786b863c0e43d782ea1d95d944986e1fe647e593b65be118279028e

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    7187c0f361a559499f310f992e7add1d

    SHA1

    c237dafed8a1ddaf00b4544bb14e26b52f413f36

    SHA256

    061808bf7781346d003e39f682f2de467f13afc803ccdea4b12984ae9953b155

    SHA512

    e3402afc8214d2dcd62d4684b34fa2bcb3e3932869a9c220bf5208ebfb4eb0dd69dd4b0d9241e5f992f6cb6c3e49bd8e609fcff0064ea97508130f2cda5290d1

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    5cba7d88bab6b99edb86a26dbb2bcbff

    SHA1

    8abca1c01e7abe9bf68ac4426f2554a6b1713815

    SHA256

    71a2ed98fe4f23e80a890cb42b18694c8d7333172a8d0345246b929454f779fd

    SHA512

    4c1f5a08c6922187abaed826583918f5d9d66318fade87670f745894978b20f1fd0c9b2efc09f824ca24599445c4c0b01615a887f341d239409af739c95d0b42

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    978KB

    MD5

    6af6b61ebb9fab14292025297291872d

    SHA1

    4cbefdbdf72a55ff734a104e19191d19b50c91d2

    SHA256

    058bcc39f8e7942761aaf19fe27ce1f75fec716a2e9011965ab048296423aca1

    SHA512

    1959d7b9105e7b471c26ae6a736d529b75998b44a495fba6955ba4db0dd482002f8f467b13da238970bafb0e94b3f54d8a0927c2219573c64e1f44b482807303

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    932KB

    MD5

    efdfa02525053449f417ec098aa4c72b

    SHA1

    0d1402b371569620f0e55f0a9a9c650f006bf5fa

    SHA256

    9203218677644682c36342d334fa8eb9fcff084a8b2d866783a68c089f2b2b1e

    SHA512

    d322674a242b91ba1f07b4cc10660b132afffc307c8178f7161e7a88f8ff58be5606ba1f8ab6f5d1c5c051a15d4d1aa5f75b76bbf4f798ba6c7954c9c89066d9

    Download Submit

  • C:\Windows\System32\hhfbcimj.tmp
    Filesize

    1.3MB

    MD5

    5f1335ecf766c77fa8c5d0b4d691b95e

    SHA1

    69ae7ae10df05a21920568303fab9534ecc7f756

    SHA256

    3b12cb1dc5c86081218d54fdf7f61b2d2ab3e5b448043e472acf5d52ea211f98

    SHA512

    8930a3cbb94c1ca010fa6e53746f2a43f686f066026f80c1c68e66a4d679d12259c3c8b9d43825bfaf021a068c6daa9c0f40512d00916e43cc834200c5e40a44

    Download Submit

  • C:\Windows\servicing\TrustedInstaller.exe
    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    Download Submit

  • \??\c:\program files\windows media player\wmpnetwk.exe
    Filesize

    1.5MB

    MD5

    b66ab57322d050b3921a6dd5fd7e09de

    SHA1

    4c47c1e3505e7c076c66e7d0d1c05cf52e7d6c07

    SHA256

    64e456edff39f0d53de141c048dbfc931b07bde7b5ea2e2c693b4217c53c270e

    SHA512

    dacf5a7310f077027a7d66e297260ef989732c5995338ed1fca6ce8bc0c45bbe622db53056c992670ede17e9571092327b86c499c35e46bd7b46cbcdd2426ff9

    Download Submit

  • \??\c:\windows\system32\Agentservice.exe
    Filesize

    1.7MB

    MD5

    5293c46ac8a34561220e9fa5bba70f89

    SHA1

    4534ba7e910fca7c98e3a09d41b82c0f2cbd18c2

    SHA256

    a93aade99aaaecd2e250ad7d51c47542d33f3dbbe4bd5bf67fdcc2d8982304f2

    SHA512

    4f140057b0cb49af3e759e7c9fcb7f3cc603db8f314d6cb758ed415a8eb7747b374271567190f89a6ce2222b7af3d7f6981d2dc605d84b16d7ed1e601c727216

    Download Submit

  • \??\c:\windows\system32\fxssvc.exe
    Filesize

    1.2MB

    MD5

    779004fb341f3145c58d0a4d7437b89a

    SHA1

    4d17981f6da493c10a12910968b0a94b3f101f62

    SHA256

    7afb36f4581d1e4dfdc779514d1388d03f755f8e2fadeb38a864f636c9ec8728

    SHA512

    73f76cc729b71282c00f759cf223fa03fd3f14016f9b90e8055295549af664dd971765a3c6792bec756c2a5574c609619f931a5c918342b7da8a5b863927c6ac

    Download Submit

  • \??\c:\windows\system32\msdtc.exe
    Filesize

    700KB

    MD5

    e1c9749595f1d4d37771e67fcc0093f3

    SHA1

    03cd521662d12f2f575c622bd0d6c9fe7ae17037

    SHA256

    1caccfac60e2d18afa7a2720c25f448b3e8df29fb01697bc105d47ed7843f80f

    SHA512

    2327847d3cbe6fba078dbc7551132140e0c595e66e3a4b219186959aae76e0a88d31c9bee3a9d8aa52e13f0d50e17e49a51f7f92972030b384afa1ac132d69dc

    Download Submit

  • \??\c:\windows\system32\msiexec.exe
    Filesize

    623KB

    MD5

    f538961673523b94867890a1bba972e2

    SHA1

    835c0e5bb6eceb72212b494b2104d8e2eab89d73

    SHA256

    267c7cb658da8652da6c04b604b205bafbdbcae0f5f689e03bbd014ee15b6534

    SHA512

    82fd2d2848ab417e13be6e215e48d58966a0ea0cee177a9480372103fc7045d8075e5718744fe4b9f7808cc6d49bae9591d0a763b8419bf09a70bce0eceb1fac

    Download Submit

  • \??\c:\windows\system32\snmptrap.exe
    Filesize

    572KB

    MD5

    48d0427451c735eb17860bd58ba17537

    SHA1

    95b2ec79c81a863ee8e6a0cb02bf7c74f0cc1ea7

    SHA256

    fd2e248391b6bb0860b4ba6de3e4c2d42013414796d9c2d19ec34a960a19b476

    SHA512

    4a8c11736263e475eec5db34ef0420cd1924af8131357bf100027dd930ab3b2dc1b60ea8f247e1b8b54562de5bb31befffe874ed394b725ca191bf4d505806c5

    Download Submit

  • \??\c:\windows\system32\wbengine.exe
    Filesize

    2.1MB

    MD5

    d7b059b6189da9641b82f4944df09bce

    SHA1

    68700be5703ee0751cf5ac6a07a671f6a7390009

    SHA256

    294586c35286b6b232b25b1501efbb97a0864b51671fac6fadde85aedadcf747

    SHA512

    f83f633327bac1fc7fceb6579deb5e08cb213e4edc8175b4bd823ee6f86c891be2cf1ed6652930059b5526f4616427ba4823a4514c0645d951ae2db14e6e8b1d

    Download Submit

  • memory/1092-0-0x0000000000400000-0x0000000000668000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1092-1-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1092-2-0x0000000000400000-0x0000000000668000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1656-52-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1656-61-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1656-36-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1980-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1980-20-0x0000000140000000-0x0000000140418000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1980-111-0x0000000140000000-0x0000000140418000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3984-29-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3984-28-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3984-112-0x0000000140000000-0x000000014040F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4004-164-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4004-60-0x0000000140000000-0x00000001402B3000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4972-175-0x0000000140000000-0x00000001402E6000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/4972-74-0x0000000140000000-0x00000001402E6000-memory.dmp

    Filesize

    2.9MB

    Download