expiro | 5919b3301c691a4f85cd72e1bff979c6bff321e3b3a34ef960ec732ad13c5492

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
Size

628KB
MD5

6eac0c2f52faa502f81dc57a054bb460
SHA1

7df9b2a9b86a77e805c47d74ccb9aed6a800ba7a
SHA256

5919b3301c691a4f85cd72e1bff979c6bff321e3b3a34ef960ec732ad13c5492
SHA512

db04a7d36ae782e78e45b57da7c8167bd08962ddb1b7a69c410cf8d62a73d78716f14dfeccc0f4c66cc363cfd6a23120a4e87eb91027f2ab3facab815a7271f9
SSDEEP

12288:HWph2x7BblnwG8zSv+9v/+4+/4900eLuRalXMj2QGSSNwROFVfciggimlhrkhml:HWX29bnwGoH/+4MD0eLuYlZQGSS2ROF7

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/2104-11-0x0000000001000000-0x000000000125B000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
3908	elevation_service.exe
5000	elevation_service.exe
2208	maintenanceservice.exe
3688	OSE.EXE
388	ssh-agent.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3350944739-639801879-157714471-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3350944739-639801879-157714471-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\N:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\R:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\G:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\U:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\M:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\P:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\I:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\T:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\E:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\K:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\W:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\J:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\S:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\V:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\H:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\O:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\X:	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\K:	elevation_service.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\dlillhni.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\jphmhqjo.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\hhopknae.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\SysWOW64\inoacenl.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\openssh\jlnmimhe.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\pnopdcff.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File created	\??\c:\windows\system32\pnejbdmg.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\windows\system32\nnbfnmff.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\nhpmqooo.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\ghdhglfd.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gnciljmn.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\fhmdllan.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\jiianoje.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\aneiiahc.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ocdkodgd.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kefbfhkg.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\poeojoof.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ofbhkgdg.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	\??\c:\program files\windows media player\hdbmlnif.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kcmhlgnd.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\chlmfebj.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Microsoft Office\root\Client\icfmlqcp.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jre-1.8\bin\giiiomdg.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\acdacdcn.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jre-1.8\bin\fcmpdicp.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\onakajab.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hjbnmekf.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jre-1.8\bin\ebbgqipl.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\dotnet\gakpqfhp.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jeoonppk.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File created	C:\Program Files\Java\jdk-1.8\bin\phgiobhi.tmp	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe
3908	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2104	JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
Token: SeTakeOwnershipPrivilege	3908	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6eac0c2f52faa502f81dc57a054bb460.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c36304990159cda338fd2244bea0bd71

SHA1
a5997fa9295236cec47e7ff666246ce22e70aedd

SHA256
a316b7326a99db31005bb7fbc9feee5359063f86dcdfef1528e12d907c5e5215

SHA512
a5c8d16a9016c39c871b34a9e36e736e376769de8cc0ffb756b0b79e21f66c24478bb5a5eb40201b6976ced7146c4629e8fddc3549e78b4ee1f02a77f94faef2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
399836314a3909b2e06e8cf0e41e0260

SHA1
b79d2dcff5ce1e58466270a03c3e1dccc96fffa8

SHA256
fe8c79f0937af1cb6dd7673ba74b7fc891eb212db727d698cf9dbb5277013530

SHA512
a0f907dd1fcc5d1ba8637df3c1861a02ef303247ca5b5619d474c4c2238b22c6da30a373db644371c3233a8090ac9b0ff065f75b7cd291cd4a376bd172ff3c0a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
124200db73cad8b82f4f440098cc03d5

SHA1
2d3610a10cca6cc4165721cb7bf2f94ef2d4b77f

SHA256
efaf7e0525ed086bca8fd6c9c3b5eaf2458fbc2d26d196e9089f9386cfb78b7f

SHA512
95a01953771e74f486166a869eaa373c7b7f474d96fd8e6473bb15125bf1bf2ddc66a6d5fa387d8c1e31bde36f23d93596608253fced51eabed1d9e8823723f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ffbeac6b749c15e94b0f3e721c7a571

SHA1
752653e6c917aede5d17debe5af4941437f68507

SHA256
ee801dbeb194a8148e7eea074a13de4efcda085b9068ee9e67f460eaa2337a26

SHA512
e3f5430c0596a8c63cb3143025f640cf7c78635294eabb9d7fe8f75c4745eec911a6f18a516dd574783add6ba534373260c6bb5a773e80773c7dd2e1cc5969d2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8d2fc5c11cbbc453e9a68dae54feb751

SHA1
740f41efecf0da55f0f4fc00aaf761a903ba8125

SHA256
240ebf19687dda203b99cc322ebc86ed628e04e69442c81499ecaafebb3d77ae

SHA512
f806d6f55b4b006905eb3564edf913c0185b56a30f36395b8be6c22a5c5948ebff9cfc027fc95325d0bacecb9d015b0e41e8d279a3046b7615e1f6e96f6993d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
0ef8290fd1800bc3e95488d5352fa8a0

SHA1
ef11ba6a127c8b8eddb3aa1d823a2feed7622023

SHA256
54ab637f70ffad0a4683a313ee2fb801f180939ed8866cc67fd699dbd6be65ce

SHA512
5bb615b76638e0a8669dcfe83a8549c95685e85a4ac9d44df21d83dae8a34f5f8ada550360c926ce0d8e3c650489de0d21bff861659cb5e0169362f5373c5471

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6d15fae03fdca371c0ed534820a65627

SHA1
3164c13edd143db2d18524f76d42ca89fd6ecae0

SHA256
8fb1f941c60803f69492d31e30f9f8dc17a47a02942abe7d1ee3ea88fa417f44

SHA512
870ee20306d24a48f58d04c0b9ab186041f6037fcf2953c2473a0888b91b6af8cb21e03c44bb71a9f361d44af71085d4461d1afbd1e7123cc35b3571e752402b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
b3fc64cb43b8bb463d36445b36c5441a

SHA1
9fd1066f05d8bb245e73470e6a0face20622439c

SHA256
e9e21164c5d7bb7ad57554774f566b14d293b83f9388a31cdccdbacfbc538a91

SHA512
99c4125905843fd941d46a4ed7023e479ed6a17154a3c20eac823f85b54677aa60094203e030911515c2154f076c5f31b0e7f2a6fe0d5a5598cecb57ce627f3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bb786180eeafbc937356e7685f5c31f0

SHA1
615d6dae93066e170fb8ee88d9da2909ff22c550

SHA256
d42cde60dc4f357a0f8a0f2e0411f4864579562b301b9f6ff36ea9ceea03cdae

SHA512
528c9c0ba6c25463afb5c7699423bd70df7747a3549416248f397ca7fdacecc0eddffa5365ed908bc326a8065a4245116c7f13fe3e44f39a3e88eff043ccdba8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5c4b07ae087dfcb50bc44691b041c5bd

SHA1
22d0ee2a49874e54524c610e384d9464018c5f34

SHA256
9e63ee21f16ca637edef4d6e7e0e297999b0b0fdbc8c499c0f5c08b752c075ea

SHA512
2f860e06abfdb27052cab89b4105812ed674e7ff3dddd6044dc1d0fa8747885e0cc79898a02b55e8baef295a57b2f3fccccbacb89995aa3353a74c1004f34eb2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
77c86815ec1d5a05691d2b2f2aae11be

SHA1
f0c06e2bf3b95616e02ca0c2d8ac535f8e2133b0

SHA256
1eac3ebe223098ac698323db4f44c6403bb9599ab70c1a0b1bde1d286ea1a090

SHA512
0121aa9cbd7c67ecba177712760982ceb681926134309f6dc1bded1f2fc227f0d784540a1ee5148cc6226d39fea28ac2e431fdbbe0ebbc84c6ee707d05b38923

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp

Filesize
4.6MB

MD5
3192e58622f4c0359aeeff2048f12fc8

SHA1
938bcdde06636225dd1e8eb67f567516248e4c54

SHA256
cf37b5a17b53908f2163fba599aa2a521b37ba414e1013e3d06c14ff43a1d914

SHA512
37b2781f10529a86c4e8ffc0ea2582ab40c95492eac13ee1ebe7bd1453396d87e3d2c6cad3a1efda9975fa7817ef9a963c43041ecbf6a8717eac8053f375b939

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
98d81640025fa927ab10bb78f961ccd1

SHA1
2893e34cb84752bd0840d8fdfae3920ca50e0fe2

SHA256
975988ab7decf4c9729628ff8f27d8177393448cc3f51c1e662abe305a26ade8

SHA512
52dd0b0e870f62354249037432dd8976304b3383da847ba5442bc36c9765f60a7499f4a8d70b5d0c3ef96574fd8333337ddeaf59d6917eeb432cf937498cca81

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
1a49d23fe612176a38cbf774846cf75b

SHA1
32a738d93ea8c71edfd62f26c7dbf786d2e56c53

SHA256
2dd94d17f7e7243a9e36a3fd353deb310db265e4aa26109e642873607b2365b6

SHA512
a8c7fe6389bfd9fcf7898167629cb78a80f62d9a5a7bcaf767231c712f0d5087d08753dc4506751de024e1504cbbfa17faa5ff79d2de7bbe00922d4e82a9e6e6

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
978KB

MD5
993e43b20d4d384bad51aa895e68a66b

SHA1
376c50c61c28b5fd70757d75793cc1ce866bde46

SHA256
d33940b2cce777856c4bb0ec48e96f30a7015c9f62f76b86ab9ab4886747ec70

SHA512
88e55a819f4b118951517da5e8f44006000dd27e0b6ec5b56437dca4bb3b8c5c5597baff9a172bcc396baa2bddc3231fdfde24921e3bf3f5647c0f14bb08f3fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
5fb79c415333f4fa29a081a15568861f

SHA1
f01c351759de1e6f733c818a60d1f07160b8b63c

SHA256
6e81ebd66f1dff99e6a931d111d0fa7ffb7e9c09a33e14d5057463039b1bafc6

SHA512
94de25ca12b143f0c05ad6becd9c63d67eb3993d766cf9dc28c7776fa03f4dfa32d9975b61995467a62bab71125acb1d8acb7c48cce81beadc45170e6710b553

Download Submit
C:\Windows\System32\jphmhqjo.tmp

Filesize
1.3MB

MD5
2fc2dcdc900c4d40edf5f4c48ca7eeac

SHA1
3c9e6791ce611bc303633533ca9973d22603ba5b

SHA256
544748638d182c9651ed918c961fd887ddf50800c79dd9f2596c6724ee90ed40

SHA512
104e1c30ead5886b68b15c3eaea6226423269f484cd0616995b130645aea1dc3b8870f1d8ff1d04a9abf749d2a0865062491087e14620fa1c9b1f13365e0d957

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
9e56d19c65d9b3c67dbd9f2307c24eb9

SHA1
e79929976bb0a404c0fbc539ae237151ec1a29ba

SHA256
007f7d91f4c52f5a82df06a25ff4c307bbf4e44e2b2919c90054d30b47d13aa9

SHA512
5ba5536bbede9f9e3fc2ebee3c9e736278a5b2524c98ef69f497450eed5e7c2db03ff0fb55ffe84f2ffc423c14aeb10a5c6fdb0b1cd308963d5f867862bf498a

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
871fd9889390517936a46ff64dde8e0d

SHA1
3045fe97e2b9f124616dd5a47821bd04c19ab815

SHA256
62556db7cc1aeac3c0f9252482062957b2c7cf9c77ba4596710c14ce52405edc

SHA512
b80010e3285d2975894c21133d72830f0d7541bc395a84510dab9efe741b20ae89f599ee53c6a6a4f6cf89322db606effcc70d86f23463cb43c1e9c6187d7aa7

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
179215087a80a446e3f5b987187c3078

SHA1
4b650edc6d8446e31b07b864f0a72edf43f64fba

SHA256
78a19258153aa6ed66dc9cdd22aa69194ef69aab331e0ccd77c0015f6424f816

SHA512
7d8039043b25bedfe286551e00d6d78c96815f7f3f662b55b8cd0b26a162cf2343197b91d51fb825f31a7136ef0a699eb2d92ec078991c9c4c989eec0ab46389

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
f9f34d4febc0693152e5e2c32853a2f1

SHA1
7a91e39a93e6873f32498c2abdaf6088f7699bb6

SHA256
a950aee9d67923eb99f5815bebf02a1b77987f8a9e9a76c920737ce5467fe4a7

SHA512
afe2a9253bad7c5905996755a9b786966fda7d477afa8e01210962a83e87919079af027b80867022e90900572bacd903e4235871c6eb026758bf54981b5cd9f4

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
d70118061738ae9b793d966b5a65eef5

SHA1
871544e64768fbe421422651d85753dfed0c30e6

SHA256
a4f2158831f848919737426a4bbb4524ab2a332e9f957be00a0ddb675ced18e6

SHA512
81c461f64ac6e872940e99a453459ccf21712046c25131475da410ce63761223b8eb4426969cb2534d0e37f2e9b0440236ee980aef9af97368a8fd0a92a44ba1

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
00d7a4d12793c915baee1f55eee41a9f

SHA1
2e42ab0ffac5cf08b036025c27b2993b499971d2

SHA256
4e443a8e988274f6f64b52a4a4d9dbd80e6b229c444a01b427d78a10b2be4ae0

SHA512
3f9dee82641e041a0e58b5e226451d837370817b107beefb53533b064abc36839c94590d32e5fa2dc490f3d0a615ce5a48677903a2775a4c14cf70e4d5a51651

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
6b49737b65aee7a327b65ef64e923be2

SHA1
9dedd8c5ff03e2d04592570d55b1555e88fec5de

SHA256
a93e93c9f022058113b7e6348c3b428529f94df440aa9a5d4e44e3e2eb3e239f

SHA512
8e6fa1a71ca0be1f5771af7ee9f65cba31327b6953cc82ad84222293e31d3ce261c09026707a65ef07e60028903c387117b87fd112780acaaf95e18ac89afd43

Download Submit
memory/388-82-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/388-194-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/2104-11-0x0000000001000000-0x000000000125B000-memory.dmp

Filesize
2.4MB

Download
memory/2104-0-0x0000000001000000-0x000000000125B000-memory.dmp

Filesize
2.4MB

Download
memory/2104-1-0x0000000001002000-0x0000000001004000-memory.dmp

Filesize
8KB

Download
memory/2208-67-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2208-45-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/3688-193-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/3688-69-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/3908-29-0x0000000140000000-0x0000000140418000-memory.dmp

Filesize
4.1MB

Download
memory/3908-30-0x00000001400B2000-0x00000001400B3000-memory.dmp

Filesize
4KB

Download
memory/3908-146-0x0000000140000000-0x0000000140418000-memory.dmp

Filesize
4.1MB

Download
memory/5000-38-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/5000-173-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/5000-162-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/5000-37-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download