Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-01-2025 18:00
General
-
Target
JaffaCakes118_7b0d937d1ca7495e4f4ddcc5eec85b60.exe
-
Size
884KB
-
MD5
7b0d937d1ca7495e4f4ddcc5eec85b60
-
SHA1
be9c08dc85620a284f58cb2c7d5c463454aca7e8
-
SHA256
1ed33c34e7942721cd0a459cb852f370b7284af6d775b2db865ac2c97bbceb90
-
SHA512
accfdccc19ae269d4b295d0e217e92ae5f1056770016d62ce70aa83ca2c3b019cd2ad7f1a5b70d4dbb301e92b43432271b0a029cf26482c6e933855d6e4c8fd7
-
SSDEEP
12288:CQoN/7YkrWBfWhvRhKUrFnnFI63RkqxgJmxJSD+yJJRm6YqUhiCQz:CQoN/7DSBfWfRn6uZTxJSis86Yjihz
Malware Config
Signatures
-
Expiro family
-
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
-
Expiro payload 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Drops Chrome extension 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 61 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b0d937d1ca7495e4f4ddcc5eec85b60.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b0d937d1ca7495e4f4ddcc5eec85b60.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56ae48afd4ecb7aafd20569a247b467ad
SHA1821b43cbfbf8c749bcba69ea8b3df82efabdb9be
SHA2561302ace864fa1dc798cfd0d025e21d4aa34cefc549536034385251489bcdce06
SHA512e60e8d2294b60ea50ba409750d9bb445ee1a69befea496bd270b617ef64456f40b3a909cb30f5d8ad5f6cc4a3b532c8f27197b471c8f4ab3fc275273f1208e01
-
Filesize
723KB
MD537500a511b4399c7d8dc7623b9eea03b
SHA1340a273fb5eefcabdfaeb34aeb2d3bc5ce9ee4eb
SHA2564c91726f5e47c23691e3ba5641e35b456fe53e0293a6e491a12a2f1bd3776cdb
SHA512444d67214c61307e1539212856e252fcae65dd7b89749d25092b222f9fffcc1f6a11d4eae0f8aab544e405bd9c05adc43e39fb16c242cad3587a503701e133c2
-
Filesize
740KB
MD51b96c372a759d2d49c0bb087559ad451
SHA13c8dfcd7908e0f362ac569b959dbb2a5daad319e
SHA2566bcde7d8d623e15eae7d29f8c1d0b9fc800ae9912c047597001eece3d184427b
SHA5127c31bdbb1ba7f1dbc2a7d8dc3010d2f74a4e07712be6dcc435b3efb26e4deee6f99dff196a6d1cadf0125f69faf33cc56bc0194d843eda550b84bab790eef7a0
-
Filesize
4.5MB
MD585f7a080c33784745c820d946b417092
SHA1697c664011e055a069424a285dd7882de1776693
SHA25674c967cf4bec39023cc43e17ae4657aec69a864a045437f5977c0f1ca06e3774
SHA512ff7e36ce2421cd1764aedcf0a540506966dd0f7605672a517290aebc8286510d5e56ebb1e57db6dbc885ef446b958fa6a8f06e284f02f781255ea2d5275cc89c
-
Filesize
2.1MB
MD5a4720288bf87744b618b51c78a20da7b
SHA1746d2c2e0eb9cf60643d16f7127e8524e26f6524
SHA256846928deba655e9f7239dd857bbbb6dd74df32e11a56b0187663e7c28a231d7b
SHA512c5d483eb7e804df36ad6fc81bdd679ca9ff8aa75f006addbaa5f7476497029287136b87e36b9deb762ea80f49f6ad8c96c84be5d33150e062d91189a3f3bf4e9
-
Filesize
1.3MB
MD5def08ef72eb777d20b77f85333aa8703
SHA165101b1a9c7515ad20bf0f964a44e8aafba0890a
SHA2565619f10b7b081f207a33c6f6ab53b0b7267ad377360d0fdaa554428a88b5592a
SHA5123c1f2e47ad5e194c6c82f17116520f3d4d493d782e1702d5e332f9836f089b753b0d41b96b15a72c62409e67c38a00b268b1173d92a8f6fc68c7c529e43a1ed9
-
Filesize
919KB
MD5ebb14769c63f8fda107746e9f1aa8b5e
SHA1ec8236fc9a28518913b3add6a2e418c86a24707a
SHA256e34ae8ee85d86509ace7ddcc8ddad1f3c0c5f7b82eb49b551d3dfdae5faaa2ca
SHA512915675ba08ef507358c0f51a3f515d8dd7adeb987e5b6f287430ef123c25d869bd3add9714ac51b980c16dada0af94c58ea47ee2497de94c05c31474b720555d
-
Filesize
1.7MB
MD533c6c38d5403818a46e2b120f5010a34
SHA13c9793fda0f836f97d4cc8cf04ceb3f0ea75db6b
SHA256cc129ffca76d1b88420688aa10f2d7157b2d8c823ceba76d42bee841e9feafc9
SHA5127ad87c3e049b6aadc971f316c9dff1eaad919b1b40bac46a396964d4084519bc6896c7aed7da003330c6e09cdb1f8fa196cd97c2e596b779176b3f7896520a9c
-
Filesize
1.2MB
MD5b4c121c81af13532ba18a91faddd4fb2
SHA1816bb8fbe453f4177567cdee5622cf9913984580
SHA256c7e682641bf05e99c27f65fb940e1f2ed20a7d51e374ff0b42efd1c3200f8317
SHA5125d5847da483a7d188d0e2529e86dab9abe1f0464a270c92f7459104a628ec848970312388f7a413d36563334371a1c12af32c44f015ccffd77c90b44ddcb79d0
-
Filesize
874KB
MD5939eab93d9d269d01a059dca16d68025
SHA1239eddb0082568b32a1435922b98e14a18983f34
SHA25668b67ccb29cd3ea9201037f2d8c640e07a1e15ce28dbc2be5162f86b2c8d9a43
SHA512b2fbbb3f2c05273d847dc69f031f7df6242bdce8c8b520a2c333d1531371b50cdfa5b890ead842ad2b98c0e10c36f322474c1116241d6f10a42a10ee56beae98
-
Filesize
2.0MB
MD56fdfc06ef7014e2bd753b47757b224cc
SHA1ceab08497688c0a0737b46d6ec5426cdbea5aaa6
SHA256efc72bcb2a4d4bc46ef2f86022435ad66e678330137799009862872193905f83
SHA512c2105e4a4586a00410572ae36da71cd9aa671126433d3797f22d17c48fa406a61eaf937bc0dbda1426e5ddca65113a097cded47a53c6951b64f0426b37aba05a
-
Filesize
193KB
MD5805418acd5280e97074bdadca4d95195
SHA1a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6
SHA25673684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01
SHA512630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB