expiro | 7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
Size

635KB
MD5

79fe1ca4d124971e6b872d5d6acd25f0
SHA1

eca06b23d460392695fbea380a6e4ed69ea14d55
SHA256

7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d
SHA512

7e37f5cff2d86b325d3acb44b1a6821c94a221a70fa9ac81369fd8b22aeea3df5e6e652ba46618f7b06393045b09e7d8c7c676334c14666f27b9c1a0cf2dcf61
SSDEEP

12288:WDB+kxedc++Zvwx4jZVvPr+WmCqeDkqZ7K0Y7hbM:WDB+kxeqPZvwujZVn8eDhXYNb

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral2/memory/2644-2-0x0000000001000000-0x00000000011BA000-memory.dmp	family_expiro1
behavioral2/memory/4384-20-0x0000000140000000-0x0000000140368000-memory.dmp	family_expiro1

Executes dropped EXE 7 IoCs

pid	Process
4384	elevation_service.exe
3952	elevation_service.exe
4116	maintenanceservice.exe
1188	OSE.EXE
848	ssh-agent.exe
3692	AgentService.exe
1124	wbengine.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\V:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\G:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\L:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\R:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\U:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\X:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\J:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\I:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\M:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\O:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\P:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\W:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\E:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\K:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Q:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\S:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\T:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Y:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\Z:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened (read-only)	\??\H:	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\fxssvc.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\Appvclient.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\msdtc.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\msiexec.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\snmptrap.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\Agentservice.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\windows\system32\wbengine.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\dotnet\dotnet.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	\??\c:\program files\windows media player\wmpnetwk.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Internet Explorer\ielowutil.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2644	JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79fe1ca4d124971e6b872d5d6acd25f0.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
00b26bb33b970167848d0694473dbcfe

SHA1
a69993ff523db1c1d73511a8082c5221131b11e7

SHA256
9723e286b583c0928f1d70e6e2fec0bfe97e2314d99b59512ae436452e2c88e7

SHA512
5df0367af453fb04bc12347499f561b07761a24405b85447987be609c56f938726fb847cd2f038a8e99af9457ba06aeb9a28f8d9376e0604bf437104aaa21208

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
731KB

MD5
105aaf445e7441f7b0deac5ed9ed2ae1

SHA1
80bf737cfcc9a27c9421b8d8281ef38880eb9f43

SHA256
df887d29aa7790342960c672c83751a199cf99e6d3ba564b391369f745ae8bba

SHA512
5acd5daeb6c1b2c665a409d4ed06383d275db5bb16ad28501f175ff9d2bc86968fe0c04ff7f6aefd48693280f2efc84613fe07bddb8c4e1f6cd3c1eb2675b4a5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
748KB

MD5
e933459829f01dddc509f4323addc40a

SHA1
232cc26dd0e0775dd4a52e5611f0d11ed47d4b7d

SHA256
55fb3206a335adafc4241e022e535ada1ef1fe274d1291491bed9c413c3230bd

SHA512
8a04d2ce1cc692e89c59d6c6fd6751f8e16a081b988f5259af3e241de4872543659013e1208782bd21e33bf248b32498d61bffbff073a6b4dc5851f6bf1c0e95

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir

Filesize
4.5MB

MD5
7e70e99c739df8174e30bebc0ec9926f

SHA1
e45a690347250bf57b1b1fb0a906cc5019214050

SHA256
60a6e56c1bd87ea3c0eb5c05cbea2bacb16d76d64137dcec30643a3e9d11109b

SHA512
0daa82e380051550798dd6fe04f3a627a1f4029a2333fe14b4bc36a6ec8585bd1d03db1ae40b2e3ad856fe0ed6f8970c8927ea03de3dcadef38fd27b17a9eed7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
92346c19e0424477110c0c5fc6d8f80c

SHA1
d260e017502dc973acc34db43871f898aefcb02c

SHA256
13bcbd9e2f1b0339e3cf91466a79202e1699ed8a569fb71313f65a04dd8d1769

SHA512
8008ba3c5b6c8c962e3ccfbfe528ba15c563afc01d4369f15a3fb350033fe6ffc337268bd1dd86ac47ad66633e6b9f543e4e2a797bfc5b5af6055db0742c8ffd

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
0b1f1790abd4754d643e750228fd4fc3

SHA1
0056e4ad820a08fe6db7863224fbbe4f1b42daf5

SHA256
ef8bbb11a9968fc9c74467a4a9e8d6aaa44863982f242d4f0b13568d3c58bf08

SHA512
8a416af2fcf2695b1fedffc8c67165e17ca00472900b273ba71c757e002dc4766ec7199ac34a35b9b06a0e0073d13e459482c5f4dbdd3bbacea8d4a36b9ac02a

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
931KB

MD5
03d5611b521ab8db7f62efc1193efc03

SHA1
cdcf673ea0870576fc860fc0b4e66f1c14ee47ea

SHA256
a9bac177d329741c6edd4413e5a0f9bba2e07f79763a2cbed9e36282a86945ab

SHA512
205ff4f765ffaa9e8243e45af5ee41b45f3621e983e2ddc53d3a067370bbcadc8a6ce1c818c123b2c00c98aed9d703167f43b4c87cc2a763081c035d4d2125c0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6f7585e97e737ec8e426b85cebee4e67

SHA1
567881e9cc862d32359f0ab4c6b4342c1747e85e

SHA256
58b87dde069442640431e37c96c7222e823ab37a87a6aa8d3a16837d9cfcd51b

SHA512
3d86b64ebf4b5f11f25b9ae34b16c8e630acd27bcf03f47d18953766964c2a4e7cd543ae7369ad00a4b420d8397d7567fc3ca44f8a80061c0dcfe6c3e910274b

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.2MB

MD5
20bb78528c00b100cef3737edbcd6856

SHA1
bcdfc2d1ef5228ce2437cc64f758cd27670595cb

SHA256
7e52cfb3dc28db9bb960c5f6bd504ae5b04de00252fe84bf1e910cacbed7d702

SHA512
37905023600963004c4a8c241ce81a68bfa96e522831d251bd50cac59f95371fdcbba83f112461d6cd16496a26e940ae607c29376ed303a23a8b5d632432a72f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
2be015775ad677da217691ff365b6b68

SHA1
111b4407bae026adbcbe6391354582ebf5978223

SHA256
8cd90ddb4152f6faec33656641d0b6f3f711afcc55fefdaba5a56d8c7b338dc2

SHA512
2b57ff4d918c3378e75b2c910290989f6eb012a3313b2675e8947f831da55c7c4809821916d09084f8da1450709a239415fd0668671922117d5b879396d071bb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
cc52a821a3ea93c9977a531a6442d7b4

SHA1
8d1dc995f1caa6af6c453f4684a02d994c94513c

SHA256
3537f4c6941ad244abb5274e941155e41a3829f16e5664498556e4bf364fb71f

SHA512
e6228bc1bcbc967765b895119d3210b034c3974f2f60d6cb6b3649f004fa50f7ed7b30875eee840ae92934329f6393131675f86813eb543613055b7b9b60c974

Download Submit
memory/848-74-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/848-73-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1124-89-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/1124-90-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/1188-59-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1188-60-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/2644-0-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/2644-2-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/2644-1-0x0000000001008000-0x0000000001009000-memory.dmp

Filesize
4KB

Download
memory/3692-81-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/3692-82-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/3952-29-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/3952-28-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/4116-37-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/4116-36-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/4384-21-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/4384-20-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download