expiro | 7a2f7b0ea747b6d3d8aff4cd3ffc73f1b96eb177b54c97528dfafa72a71a2941

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
Size

635KB
MD5

6ca5505f322f8c6759c5e891d2bd3ec2
SHA1

0fe3f7104b39f4ba8d83cc061b6a72daa6600e55
SHA256

7a2f7b0ea747b6d3d8aff4cd3ffc73f1b96eb177b54c97528dfafa72a71a2941
SHA512

177a63d3b74add8b5be5428dc16bbfeb267ac3199f489745c1cb2a928402c0407c543a6afb07c1eb936ce1c96bef9b279144a0954f4a7c9ee6d38698384d8263
SSDEEP

12288:7fjA+bhgvqBsC9SMNako58dEZNeaf9CuAhdX/nomc2zmEGTaQ:TXyusC9SYvo5xG7iVTa

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/2808-2-0x0000000001000000-0x00000000011CB000-memory.dmp	family_expiro1

Executes dropped EXE 6 IoCs

pid	Process
1500	elevation_service.exe
4712	elevation_service.exe
1836	maintenanceservice.exe
3036	OSE.EXE
4944	ssh-agent.exe
4248	TrustedInstaller.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\R:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\X:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\E:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\I:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\O:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\S:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\V:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\W:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\G:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\H:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\K:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\N:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\U:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\J:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\L:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\P:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened (read-only)	\??\T:	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\Appvclient.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\Agentservice.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File created	C:\Program Files\7-Zip\7zFM.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.vir	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

Suspicious use of SetWindowsHookAW 1 IoCs

pid	Process
2808	JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca5505f322f8c6759c5e891d2bd3ec2.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
PID:2808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.0MB

MD5
20df672055e76ff294562fedaf805027

SHA1
6e7e8d6322b8e0aa08c8735c6cdf3609de18c41a

SHA256
697bf9e83a50c8b801a7ba0bef1559d5d06027de29aa53f1f5f31e8ccb694c84

SHA512
aace4cd4fab2eff4e875c69edce72f9b103448f7400f16758b4b0b4a04c17b1dde9a605e90e79ae5934aa02b7e2816103e3b87cb4fd4e347270a5fc3df3fedbe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
723KB

MD5
30e6438891265cf5e38cae8d22978f0c

SHA1
54275ee54443c382dedf0896bf05b582f41f2cba

SHA256
812d3daa8906e7ba4ee24c602adfffccf6f7417ea55eed808645b283cf0cd3e0

SHA512
b14789f320cb5e12a7d2dc5a4d98e241c5666bfdc1eb6a9258ef77cf0e569b4b838aabd08222da862197ecf1f12cb0c47a6b35921592200b45e59b4c0b541be5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
740KB

MD5
784b6483b4324f2cd7a51bb383dbe135

SHA1
830294d533b5308ab301b55a4a83a6f5126c9067

SHA256
1e3bc4a96fd041687e04e60602d6562d73a9ca21e5e9e341d558b3272ef27dd3

SHA512
2beca346475aaa87995fc22d12b7defc3055eba7bb65893d3b46902af51dda535f48a420cdc4ff9950624001bd0057cf73d1ffc8935fa8f458ce25e5969a702f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir

Filesize
4.5MB

MD5
797d2c557ee29384fb1d1db28d47fac1

SHA1
5dd6ef10b0061aa9949b32af2aa8196ee787e21e

SHA256
36fb8b4f3c7d20f512a6abaa6caae53514275955d6d674ed4c355d4239621386

SHA512
3e71a8b9ed6a02db795d6ef0e347363b3b6f9d86f2a65d0ccf9119427853a6254c207c332b09bb0054e6be11560bb3516cd1b71e419191e060444445777d999c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
5fe3d424363a257c30fc672fd72baf40

SHA1
fcb8dbd9064426f6f969930184056ae226546350

SHA256
273093ff530ddb3f251783b417c908e6025a30d46e5e84672e3c877e3a6f3100

SHA512
78a329a0a09e9a5e2120b121ce0bdc342a0b1e62ca1554143772a57975918cd08017bbdb722efd17ae07671031c4666ecada22b3e3f4d0de7b250e041507084e

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
a5bb17c9340f94d73497ec8befdb9fd4

SHA1
2201dc51e115093912980be93827fbbe5b299c4a

SHA256
988dbdce39ae695495e7c3395dfd46b6254a8ef02fe62655a6c032c58829e3a1

SHA512
bb1cf509891e966b7063ba5706190f8a08dcaf8b4e6e496c66e1594cb61daab73dfbe07225da57b9a99a2fde560294ef36c3fec2809d776bf20b800fe823a3b0

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
923KB

MD5
198d408f371b6723ca27aba9904e319a

SHA1
2cb4e6219f096d6bc9097970472e0ad5ac8268f6

SHA256
c743fe8f3d154f653a3d2af5f04e90e86bd499ad981727626a04d49706d1cc87

SHA512
2c8594097f9c494cbb0b445fe03a2cc6168d04f0a2d60c0db8f88fd4ee745d0df53ba86a9ae68ff20949e4fc361cb209163a583ce4acf48d2d6970c079296914

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.2MB

MD5
1b65c560a3947108450f4fe0ff3309a0

SHA1
6d72ead0a90d454f22ab9e421c17c1251afd4485

SHA256
d3e105b8b89a6fd7fb315c7d4de23efb3d0cda48d293ad2740185637fe5fd188

SHA512
7478ad6763425efd919be83d31090501e76ae22c8c87967af866eceb5a4f40e2c702c3bc68bf7fcab6032a9c724296797ebd884b40277ec5526376b214cf7472

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
874KB

MD5
dd94cec22fd61bd29c96e10046bdd7fd

SHA1
2f2caf0414c10836ef7afaae547dd0555384f5e9

SHA256
0792cda06683bed71ff90222eedbcae774c5d5b72ce275499c6f7ae55fa3fe26

SHA512
77a53d4ddd7f37f0d1d645f8e07c691ac89c84636988eccbc9e859df22e4e150ebddbd9b1ddb9cf049c58529f779cfdbd3043ffc4e6eb32fc25d32ba75af7208

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
memory/1500-20-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/1500-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

Filesize
4KB

Download
memory/1500-117-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/1500-137-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/1836-36-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1836-37-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1836-60-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2808-0-0x0000000001000000-0x00000000011CB000-memory.dmp

Filesize
1.8MB

Download
memory/2808-2-0x0000000001000000-0x00000000011CB000-memory.dmp

Filesize
1.8MB

Download
memory/2808-1-0x0000000001008000-0x0000000001009000-memory.dmp

Filesize
4KB

Download
memory/3036-62-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3036-131-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3036-150-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3036-151-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3036-61-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4712-118-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/4712-119-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/4712-143-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/4712-144-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/4712-29-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/4712-28-0x0000000140000000-0x0000000140365000-memory.dmp

Filesize
3.4MB

Download
memory/4944-75-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/4944-152-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download