expiro | d48a5782e88fa2e4e12fa713548ed3d52bb0796f9cacbbacd4ea74c669226236

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
Size

843KB
MD5

78be830fb6eab0c7e9a190dce8578aec
SHA1

ee2768f6affa6b067200d06c6a29c34b5cb977f9
SHA256

d48a5782e88fa2e4e12fa713548ed3d52bb0796f9cacbbacd4ea74c669226236
SHA512

9af940812a65e12f77d21de7e5c25f27b2f978e7198c007a4c1482a59822212cdbc14f872c910b0db286b1f6bfcb0d109ff40d54c02768f97ef9052fb6b8f194
SSDEEP

24576:Km+C3OkIqxwJV9tTF694LWj1c5tibz4mhns:KA1x8V9tBpftcF

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/552-2-0x0000000001000000-0x00000000011EF000-memory.dmp	family_expiro1

Executes dropped EXE 8 IoCs

pid	Process
4204	elevation_service.exe
1540	elevation_service.exe
1700	maintenanceservice.exe
1504	OSE.EXE
3024	ssh-agent.exe
2928	AgentService.exe
3588	wbengine.exe
1108	TrustedInstaller.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\J:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\N:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\V:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\X:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\G:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\K:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\O:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\R:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\T:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\U:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\Y:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\Z:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\H:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\M:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\Q:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\E:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\L:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\P:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\S:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened (read-only)	\??\W:	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\Agentservice.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\Appvclient.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\7-Zip\7z.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Internet Explorer\ielowutil.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.vir	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	552	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
552	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
552	JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78be830fb6eab0c7e9a190dce8578aec.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4336

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1700

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
61f92e0ba9c570c77888de4cf524b985

SHA1
b92af1b46edea081e3911bbd83bbace40facd1b7

SHA256
1332f69e778aae9451eda1a3cf9b14e86b59d396eb477659319f89b36c871337

SHA512
1816474a01be8e28976c9c18fd7c35ad66b54028c1c615b7fe45a7e0fddde0ed07a51a974f6faa545fbc2be69fb50916927d6bc7c71462f88cbe901bfb3b0ce6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
731KB

MD5
b89c56b54a38df4ab7bc166422d8ce64

SHA1
7fef83362d870969f28b2242c3693253fafc56bd

SHA256
861c24473b3d76fec56dd77a87f49a353d80f45ca05bb22a1704404351908805

SHA512
a48a0d4c53f8e5dc9bad6305bb1d2de81f62cc4b53ca0fe7c15ac5948685231c6fc056e317ce23d128e34570ca835f553885806ec2d25e1901f95cbc5f049baf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
748KB

MD5
0f2af2000edac15c403371e4bff1415f

SHA1
e2bf0721f961087b9bebaf0bdefcb636f4aa5c76

SHA256
78cc604981c57d79ef2522015bcec267d0bbfa0bda02cd0f1f59d1f2fbb217f4

SHA512
40fc3a0d42b67a19b4f54aa73bfee207d7f8d426728ac2de49aa5e4281c68633d32e50f8140ab1f9cea7b0e786ebb731a19a5095c99745bce2ca6926a840caba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir

Filesize
4.5MB

MD5
da9009fc093dfdfb3466d057f4fd8c1e

SHA1
162dd18e3e13a3a7dbf53f96bb62ae638ec5ce9c

SHA256
d52ec6419a7e77f7feecab809496d53fb07e18eb8c3a636611344cea75353136

SHA512
b971efc9b532be306494e2836c896f5fa54910103062ec6f6c2f3a91f273ffe06d36533c06305da47e91ed6e64708c5c46348f32ccf173c7cc03255e25790814

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3bf3fd70a5e9d820a1fc308eb6fec3d5

SHA1
316ac5919ae72f6498906a43295d5fb42c322537

SHA256
84266acb87658347a5eacf745a7ce7eacf20ae6d0b9b272143a8bf6a3718d426

SHA512
ded782f801bc4411573afedc3779accb8471dc626e841acf3137dcbaaddbff635a6c5c631e92db75a1260dbd897630e43a904b7d731663592b63ec1a450c06a0

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
3c01506d2e1346019d13ad03c02bf16b

SHA1
c705bf4c0eaf07d9179ed491f79f8a1d3165cf13

SHA256
9a0d4c4a684d56262e5e4211b8539bfae0601fd3fc49f982f7aeac9bed92ce26

SHA512
52e00d61bd43f42ae92581946ca7048f751c6781cbf3ff668736d757692fcbaafb0f5f8a7f50c1318bade8ccbb4c3f68978727cefbc2bd8eea873be184f3d9f0

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
931KB

MD5
a3d7d2d5d6824c6c901be66653ad221d

SHA1
15e5169114854107e712206b9208e3befcc05b02

SHA256
7b0a238466873258fdd1faeea064ceef81dfa665cf1beb28a1a66a2cb8679c75

SHA512
c5185c089c9fb02c1cbf25f7f25fea143249ee01831cb8e2615cf43cb43c6654c47a2e34fa2e2551aa33b2db7d8a428ba9594733e09f317d5e6601b3a7f5a582

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
33da502a737ad7ef6ff959eca3b6d961

SHA1
0536d55a9becfd90da420202ddd50b382759f146

SHA256
b4abf2620c8040177c4460be2073b0ccd2ddb5325838fc00f31311d21413b76d

SHA512
77d65a1436c7b3903ff2fc66d11ea38b5c949ac9b694682c54d05204a263b1947149a9527469eb137d2fd1a6ffe70ba11f30bb3c5cb125ebe484b1a44ed04a9c

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.2MB

MD5
9eab710361eba71ba974243b6f1e4698

SHA1
47105ed38a41a4ca3ec36438ca68255b16f5f991

SHA256
532d5076d5042d3c4564e08a2aece0589b9e6701ff4bacdc4d828d86921191da

SHA512
f50708830a9701425a2e687a24e5edff1a60f75672ba5e6f137a3d0dfffec037970c39c67615b6832d2479f084f13481c1f6aa0ff483e6f65b3057a9a7faf53c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
e336ef510203fb2ee487940b8a104511

SHA1
67ce02136cd8180fef2fddfa5382ed2418cf6826

SHA256
93d000c264cebe5e834898ccebcedfc7edf21c5e86146d5669f9ad147693e5f1

SHA512
3f8a42d328ae4d222ef31d84f3bd15c12cc67ca3548b56bf6aa60e09cb7f534c6dd9cce4e544935443358004784a3f68ec36c80d599c0e102928911ffc8e2641

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7654326a64023125d7e0ac310923f2b7

SHA1
d01a3c45a2f8e532f8d234a04eaa54bb29f88f54

SHA256
9481ea8dddb56bfc901ee5a69cadd143494ea97bb165105086fe9a529159437d

SHA512
7dfe74df2c994b65161e97c97a9775618cefff176c37b48d9185fba136ab1f31c66164e3bfa05d6678fd33a2afbdcfb1c8a60aee848503919bc11074476ebbe2

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
memory/552-2-0x0000000001000000-0x00000000011EF000-memory.dmp

Filesize
1.9MB

Download
memory/552-1-0x0000000001034000-0x0000000001035000-memory.dmp

Filesize
4KB

Download
memory/552-0-0x0000000001000000-0x00000000011EF000-memory.dmp

Filesize
1.9MB

Download
memory/1504-59-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1504-60-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1540-28-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/1540-29-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/1700-37-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1700-36-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/2928-81-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/2928-82-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/3024-74-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/3024-73-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/3588-89-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/3588-90-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/4204-21-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/4204-20-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download