expiro | f5377f544d5c05daff97e1dc9614700a6bc32c080c00e173b402fec9a3aad1b2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 17:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
Size

611KB
MD5

7af9483222993994df1885ebe57c8740
SHA1

674ae56f9fee9c01b983b78d473aa1e2c4a4bbc4
SHA256

f5377f544d5c05daff97e1dc9614700a6bc32c080c00e173b402fec9a3aad1b2
SHA512

c697ad687463904b5cffc12e6ae94a16c7028bc473797335a6390389b73a6504015a1a93bba38a90fb1b1e0fc2fda22d6d3ef54700054844a0a028917584f04e
SSDEEP

12288:KLh0jD9bLcbwrrAQ722Jyxb1aMs9zcuWvcwCvdFIqsYk3nVdW:T9sbwr0QycQqfwUjPvk3V

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/3432-2-0x0000000000400000-0x000000000065A000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
868	elevation_service.exe
3204	elevation_service.exe
3852	maintenanceservice.exe
1156	OSE.EXE
1660	ssh-agent.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\J:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\M:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\U:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\X:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\H:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\I:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\L:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\T:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\V:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\K:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\Q:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\R:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\S:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\Z:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\E:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\G:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\N:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\O:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\P:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\W:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\Y:	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened (read-only)	\??\I:	elevation_service.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	\??\c:\windows\system32\bhgikkde.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\kkjqjgpm.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	\??\c:\windows\system32\liqocgee.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	\??\c:\windows\system32\elgpemjk.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	\??\c:\windows\SysWOW64\hflgcbdk.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\npkahqmq.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	\??\c:\windows\system32\oaiiamdl.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\windows media player\eodlqaci.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\qcogljfn.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pnqggbpc.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File created	C:\Program Files\Java\jdk-1.8\bin\fadcmdcc.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\chlmfebj.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dimdeidf.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\fcmpdicp.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\knjpmnmh.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Internet Explorer\llopmkim.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kggjdgjn.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\oocjcpii.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\epgaijka.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jihehklc.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\ibcoebjm.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\aqlckbbn.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\bklbclai.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\oklgbmqo.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\ebbgqipl.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\hfopahfc.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\jiianoje.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mcfbcncj.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cgakfigd.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\qqlagjep.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dmkcmlkj.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kefbfhkg.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\elaqljie.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\eajefjjm.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pkbokopo.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idddgalc.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dgilkpmn.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\ghdhglfd.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ogogbdbj.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\fcbnjplg.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Microsoft Office\Office16\pbjmkqlg.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jre-1.8\bin\ooqkhhjo.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\nkoillja.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\bin\eiknqqhf.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\djgnqiea.tmp	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe
868	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3432	JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
Token: SeTakeOwnershipPrivilege	868	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7af9483222993994df1885ebe57c8740.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7af9483222993994df1885ebe57c8740.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3852

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d62688eaf69d93f061bb74a210ed9943

SHA1
12179a9ee6b5bfe65f246d5d505820b1ef1be992

SHA256
fd3a96c5fc77a98c78010bef1d05d6c2e11956c8ac840f7bfdeb951558d63d39

SHA512
29b1b13e672b36c8c84dfe84c638e2b8c6bf9d7425eabe3cb21693ac10ae1ce40d32b66e54e4a5a3e26ef9d5ca31ed708ba336066dc2f5a11550905b1ea9cd17

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
11b1beb1a8d3e2f2d4deffe28515bbd4

SHA1
335a88bbfed0fc9a5d1ae1a92d672730a985e012

SHA256
ca6319aaf46f1ef009d26c42a04ac6b49a3310eb265bac8d5a50e865281f3a3b

SHA512
e26773e3d74f141d5760615007080201d4bb0744fd12f33fd7f6f0639fc4e8b117322ad9717c4b344740e64b808b610d858e2bc3b335f5cffd499e820f8ec945

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6b2eb2f95bcd80080b764f61f6cc2db5

SHA1
4b65a8faf3dee03c42940b9d1a9147aedf9e6e1c

SHA256
5b94224099aafb4294a84cd6ebaed3b11e0bbb6d48066633425e01e50041b05c

SHA512
367e3b6c7f53012be7ff87b3d4d102741442365a667ba9f55ab27c0f256759cb1f0311cda5a0a3dc867bb5ab3857d8355f396dd0566edc210ef27043f7516649

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ea4baea4b8ca650ebea6cfd7536260f1

SHA1
330c155231d3ee19bf716f3540b432c137423fd8

SHA256
dc7d0bbe84f2d32d515c8b4e5c50e4366a781676fa8ad5f7a7847493cd3e62e6

SHA512
1d3519e4075d5e2c5cb8e0a77698522cc2a35d922fc9c30392c52bd2187db69367c76ff6bf097dc4e7cd9f6c70ad92cbd3913194bbe3605f3013be58a4033977

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bbbc1c091006099dcfdb54efd5089ad0

SHA1
c33ecf1ba8de9da53069e2b293b6d312afc5f64b

SHA256
ecee5c2da48d92a913dc1033efd9ae173cf450a5a650b6c14a2e57de1f6558c9

SHA512
887d4bbbd6c58b0ddf2f5b3e54697b2953a38f3f0304b313cd46a8fe8d0e3e5511a81e5b314b22d4d135b114eeb760f7d0ff510c09d5f471a03332f533cbe7eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
c8d323bbfdfcc4a1430387089ff25c1c

SHA1
45f7d7c8920ee23f265d45a0bf0d2362da11cedf

SHA256
941b1b6e5f5f7b4df48305cb08142d778b2b8866de65e2b16645e69e7b82990d

SHA512
0cd2013283e174741066a97b0a5ad25fe28b3033132d993ed37eb4d50984ef25b9b942e2c5a2b4c8db702e4a2782776cfff75882e8fa960a99dca82d21a5215a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a97fa9c586fba5549d1749ce5992ceeb

SHA1
e627bf71e98cfc4e42122023d53e2be53ca6f6e6

SHA256
d52328c3b1c542f9534a4375c30d2633c0d6a87f3027f27440471c67926dfe4a

SHA512
f957c5d0c40ba8d0df7b6f79f4d62ef5bb353ca6bcf8387608e7f382255b0d250b5b47ebdeaf86320346346125c8af4d711515b007f4472bb6585e813de02459

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
f05c4463c75d0da8189f9eb22b13fa43

SHA1
006bc495d029ab4a86fa137b01e67095a9f7473b

SHA256
29fb41c89d6a2c72db356bb9f4d984f98d6b0a4df965c4ad07803fc730795f22

SHA512
066e364f5d8083ad1efe5612b21ef076d0b9dace839e767f940913740ccd51b131c005d28b92f32682c06fb8aab1ac34dd7a29ec7a4e1163416938447e46f67b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0d861abc95f52c7682f1f15b13fe3d49

SHA1
2fb202f2eb7209545d3b6a47c6154f52b63711b7

SHA256
c71d61361e6cc2c4f472095bd1f17a4eadb3fdf441de864ac8f6dd3a63dea16f

SHA512
daeca9c6fa418206485783753bbc06674efa084e28e0edab442228f2d62fad310fdc722e951f3295555335e35ad9a8a7e44b9eea1eadc236e50ed4b78d295484

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
68de6315fcf8336b1da71d08b1f9bc1d

SHA1
c3fa90501718fefd2105a17febd7560f19702b38

SHA256
044d935a18b0980076cc186b06d7e38b455cff109acbd110b23823d50fa60782

SHA512
d575005d010045832819619f2bc09cffc53d386b0d79fac721ea5598d1d85a94c1c13980f93482a228087b98504e77129ae629484a2c481b56dd54e24a2621d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
8ed179eeb166965278e4908f2ccb0a19

SHA1
3ca84c10b771444bc6e74190189de869ef517456

SHA256
5e917972aae7ca0cde2e51d35816c92a505862882e1f79095511b5d66f94107e

SHA512
8daaa5ec3f9da94af1f764ffa257362972559d5135e42899e551a0334eb6062b57eb33247bfab73cce7e215f3359088acba21b8c607f9ece6068f9e9ae14c0de

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp

Filesize
4.6MB

MD5
83f456b0fd3e4394a203594716a56d3f

SHA1
f4669e9bbcda335fa5f6ee64ab0bb4e3e639522e

SHA256
1f69ea7bd1f8393e06724336d54378e71f24f5252a324c726ce2af9e56ecb20d

SHA512
89f1413b1cc8a3639c33652e2c54a198bfa0160880546d0dc840682eab4e3010f549ef546acbe41a15b20658f65d1b811adb4a4f7fbbd5aec86d3cd5c1cab1e2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b867af572bd3024a8d73e6092686a61c

SHA1
70a58ac4c0467f27dac63e75046d144adf1b7951

SHA256
b80548fced908cb898d968497a2a699067d355f4d7e0d62085c0ddde9ca0164a

SHA512
a2d09991c33dabf84a3767df868cf70de73c41d797aed0d4c05f77fd55567a58f36cddc86e8edbc44731c1fde8203626d1796fffdd4287a390aeb6317e7cc69c

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
1efa7985b666a2316578562d0616ddeb

SHA1
619487fb7d7e38587499f2fdfcfa41ee66adc015

SHA256
5d179137a01469eca7f3efdd247f77720fce4fb4bcee57fe49eff6bad77709f6

SHA512
fef667ffbda5a7b64cdb10c79522d23ffc611b832919c6686eb5adf4b0b8ef0eec38bd56ea6090ec77d614ce8a510ab3473d0b4d2f37ecd00b48001d306a2e17

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
978KB

MD5
7ba3d1ff70db7f97411247b33b3b2e25

SHA1
302c2e99e0150ca81fe48d1e4e1ef434c3ac9333

SHA256
da061caa3849a434b2a9a4605a1a687a3e7e4972e8f7e5b2c08751c9bc131f0c

SHA512
96b133007578c6e202fe0b0d13d79edb550b194c9aea61ce1cbe5082bf4be1fa6ba2b00fdc14c34179ff2b5562d6515b95deb1ca07a8b3943d69989e14fd2211

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
4c4509da6a86514b178cb18411eaf182

SHA1
5e29f7deb47b9d82a8b1f2b835f9d1bb8775cdb4

SHA256
7a4b58ac1ab66535800a38d3b55bb9b765b2e0090abe0be84a12953346372e4f

SHA512
3a64ebab5a07e4338ec09c91d9c0cdb27ce267577e59ea8726088b6b9e9ab7e1bcc176212f0ddfb70722daa5665ddda6531687a2f2fb91e7eb56762ad4027cdf

Download Submit
C:\Windows\System32\oaiiamdl.tmp

Filesize
1.3MB

MD5
cb0e15216af827b754120e5b187aaf53

SHA1
628c1570921bc82c241095d319215821bd0d72f3

SHA256
68d64249ae7506e050f69b74e14e6418da78eb8e1e3002ae25aaf113f40810ec

SHA512
cd8630f9d47b73d122a1e54a6002641b9f5f5eb147978f5db8ef0f251fd6d09aadc4154624b59c82562c6bb42e8727571c8f209fbfc591a496b701a646a33bf3

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
ee2265d37522ab78f57ddf1701e00af2

SHA1
d02852e1f0e204af28bf6ae47fdc923d8a944b4b

SHA256
0cc9bed97e72824994870bd22231a0de27aabc34b958a02b756fc877db772746

SHA512
90b710c6a78bdf3bca288621bd6ceaebe0ac8539b65d1e85095ea0d56caac78ca4501410b4f0726c024e54d406e9577e8ce4e13128776451eea8a25d72a8d1f5

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
a329de0ce461a0aac9753a0b2974fec7

SHA1
1bcb61d9c8862da3708cdf29f83db5155c6bd9a7

SHA256
3e18067b23185fc8e98dbdd9acb768dce43aa1c00b770eb2ce983f5deca48474

SHA512
f67ed6ae635b9e156322ed81028298c85ef5da0789d0ba7675943819aea76f65d79ea481f2fdad14ef11532e73a52a9371dcc67e82f33e0637c5158d3d867234

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3e1aa7680aafa869540844a8e3db95eb

SHA1
cbc9b6b44cc1a520551c2ee6b8df0b34a9fa8703

SHA256
eb3d120c1ffcfafe36477b370d7b0d81933ab0fcc95b6b0fb423a4ac90966fe0

SHA512
4a2c6d086b0f801d6b368dcd6db5e6f41e44b51e13ccbb9910ce83a8c812c5e1493e02eda5c5b12e696d9cecc347881daf0f88b06a8ce1cbc5e5fef50aa1abb1

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
b47adc9d5fe7360a9342e234dbc57821

SHA1
fa20a8a15a90f381d199c659c63112c2403ba7c0

SHA256
0525fbb2acc1959ca8747b9d8ea2191067b17648a0f8d60c9079218ac0b5fda2

SHA512
cb184daddbd82ac9286799c13ecb6580a714eba8e5824be39b50f98b197efbfe49e2291ce5293a490e8706f3d140e55f27c6d9666baa78cc4e53683a3913bfde

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
9421ec4396a21fb1da6887f2aa537571

SHA1
41a6ebf220f0ec0f60d6b5c92cb238779efd93b2

SHA256
30246ce3c9024713f709944b179de091bdc93c137413dbd2a205c97fb0a789e8

SHA512
a272d093df0753daa752062064e2ecdcdf83bbdf9e950a1ed97d50c2fe38b715c353dbe4afb2bd3d6accb0ec4fd170726b188d5d8cb990992cc3a5db3730adf1

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
2a91d2160882553810c462d4eded376b

SHA1
12284df6092283d61dc9d578f2dfb9317156d0f9

SHA256
586c2bb5e66b8ca27653572cffe7fbf2d3b71d3ee7360886c498849b83dbfd7e

SHA512
b72cd904ecb4a8062ae149a14a71692009ee6a15c59a0d8f90dea39e880712a8d898d04724ec56c6374e4d9baaf36b0100632a74ab35b8fd8fed560c0ff66e7b

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
52826dc934f58ea9a84ea29475d8cc07

SHA1
86f91da6fc248aefed5e0a7e61ff808ef232405a

SHA256
ca8bb88c2ced615a6dbfa1375eaab9dba8c62026ab0089ad83bb6204a8c18045

SHA512
e0b4f16a30cbab1c428e64a85c27390e9d5dc10eb2da1964b7e742439019edd2f14afa5be6ba5de9453104ac0a12b33d097373cdde48f9d79c1e40d3009afa78

Download Submit
memory/868-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

Filesize
4KB

Download
memory/868-20-0x0000000140000000-0x0000000140418000-memory.dmp

Filesize
4.1MB

Download
memory/868-118-0x0000000140000000-0x0000000140418000-memory.dmp

Filesize
4.1MB

Download
memory/1156-62-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1156-154-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1156-63-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1156-157-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1660-76-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/1660-168-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/3204-119-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/3204-29-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/3204-28-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/3432-0-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/3432-2-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/3432-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3852-37-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/3852-36-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/3852-60-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/3852-59-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download