expiro | 9fbfe5b0417d591c3c51c5301c5322ed02ca972c905a6eff573ea97f303b01d6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
Size

625KB
MD5

be8ddd8808afaa3b0ab13a746c001f20
SHA1

986d6fcde345bfb925d51c4d8ba3f887b924ef8b
SHA256

9fbfe5b0417d591c3c51c5301c5322ed02ca972c905a6eff573ea97f303b01d6
SHA512

54056b8248afcfabf4be927424de0fb2aa1802029358c6e29d69371e019f44396ac9a3d95395c4093c1f03526820e77f3964ecd3adae7a8f02994bf0866ea6ab
SSDEEP

12288:OVt+w8wyv/n66WoJMbN6yYwJGMgTprEyFPcGcSrkCxwMjrO2:Et+w5yXDJ0N6yYwJ3giyFsSbxbrO

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1748-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1748-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1748-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1748-47-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/1748-49-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
4244	alg.exe
856	DiagnosticsHub.StandardCollector.Service.exe
1336	fxssvc.exe
5028	elevation_service.exe
3128	elevation_service.exe
544	maintenanceservice.exe
2168	msdtc.exe
4340	msiexec.exe
3876	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\H:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\Z:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\J:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\O:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\S:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\U:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\X:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\L:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\N:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\Q:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\K:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\R:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\T:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\W:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Y:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\M:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\V:	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\ldokpmoe.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\kaddagfn.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\SysWOW64\ojkponjj.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\openssh\dmmikakk.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\SysWOW64\alkghono.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\clilpfbj.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\kdliclal.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\gfjkbbhj.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\SysWOW64\alhdbjfh.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\SysWOW64\ljjfcbkc.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\diagsvcs\dadkbhlh.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\pbciipmb.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\bobkfgfb.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\alcfndkl.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\fkfhipcj.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\ijpbapeg.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\iamhecdk.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\okidohio.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\system32\hgjognof.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ckagbhoe.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\klfclpfl.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\program files\windows media player\fndmkpda.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	\??\c:\windows\servicing\hkniijfo.tmp	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe
4244	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1748	JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
Token: SeAuditPrivilege	1336	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4244	alg.exe
Token: SeSecurityPrivilege	4340	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be8ddd8808afaa3b0ab13a746c001f20.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
f5b1f6bb96617111a38c13f1702531cd

SHA1
d8c8da51a690c006353e0daffb7cd0eef857a42f

SHA256
b7570a0ace0db1a3ac6e6f6127c69b2e689348fbbf717ac88d6b0e1b2116a7db

SHA512
8b48998525daf740e75e92bedee1024b536e6897fb60f50a0af94a691b11aa31b4f273ba83a2979346d04b907b0907aaf138327b01b292662f73c2f445b5041c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
acbd7173fe5896235393b6a144d5ebcd

SHA1
21bafc680a6f520bcf0cb9b7e2744a022cde0842

SHA256
2adceb3db6c351a48a6ab619c62255a8139b72bfd0aa04293ee76349b5103c05

SHA512
f1e88e53b52467c53a0d9828bc2098291e9d5852d196dbd60756b93de6784c5f5904aca17439a8ca53024123f1d92cc1a312b472f4dd0ca0b910506ed4e68619

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
dc41c2017a2221f751be40de2f309638

SHA1
5e497f6293926baf7d56ae78c98ce1e799c833a0

SHA256
f62ffb43b16ef667393939d43854f895ba0da2f1592a788259c7a75e72cc59f2

SHA512
dfcffd591be20f7d0123c4be23328297b7415ff8bda852f6a8b55d69c7600ba718fc21b86a52cc51c365ca3918d4da391f3ceaaed386305a6f361a560a198f7f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
fb9cb2381d3d6a343fd6d9f07502d40d

SHA1
9ad7721c499e0f4d1f23219b2b95263a6a574907

SHA256
4948e88871de973c3c27292267a752fcddc16eb2511730b478578c037332920d

SHA512
9f6b4d75dbe454938aafe0557e87fe161713cf561c884bcf5376444168709d151cc770547478b4d44cbd6d24fbdab7a39dff1930131bd2471612aff03aa80d24

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
f3a053966746d6c6b2f120ad4a719d4d

SHA1
9da48dc706ce77fdd648536f4954e89c0338dcfe

SHA256
44a395ce115dd92edf22e1f9cf6df1a5878ee7c1d98f0d64a9377947fe077707

SHA512
ea273d3b2512d8fa9c38b3c7ffb0692df35114c92fc5edcc79397fbc819dfcc418dc4d9e2b3f2ee7cd44ca2f9ceb0eb6da1b97da2b2c573c1077b13cec5a877f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
c74e88747c3dfe5deb0e77170befaa58

SHA1
35290052f2b6244327af25d2bb5e4e90008b3a4b

SHA256
a00729df729f8420a62d017a7d23b447524e9b2020f706a7da9c792d3f73ebe3

SHA512
3551b4185746c011d1bce207421103dbe2adfd895e2c16713e8009e114c8cc19bf4747181e30f2489baffb5e523fdf44f562340228e7b6801bfdf06ab4b36814

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
32418a2f9afc7381f1f535a953e5c06b

SHA1
596b66525cfaa0b5a081e92ed764139cfb1a6a52

SHA256
7e480dd14377969303b0aa19853f8ec68272197da9517f3c32393cc575454988

SHA512
1a2df750ba26664bf87321ae6160572ac12c63510abc3283fa2e7bb30855b901fefa908df6b9892144b7d1651bc48cdd0b0b9b253b4cc08246271305f955d576

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
33a45d93abc15a2e6bc469fcbb44e5cc

SHA1
413f58f1ca46de13fe730ed1ef56f1616e83a8ce

SHA256
75efea3119b551037ac46457f83e9f036bcc9f5a7a342b6378983adf884488b1

SHA512
2564dbc0eb5e44fdeb56d92acf920e430932129015dc77bdc1686cfd0d91539dcb317c541f7cfe03568c2582227f367910b036bb7845f56dc6d041750a199c21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
04c23a31d4079ff5588f5145a1400ed6

SHA1
d4918e4a6827238f6c8104e8efd30a9764686fba

SHA256
62fd4500ab53a9b686eec90889adf1605e4cadcd7c8d6622e031607778cfcf8d

SHA512
0a80d17dcf3fd0ac65539533cec8a5d86822c7459c681ef7535b74874d12a81af7ebfcd75ae67748e6f71824a54b6b18ee99ed74df40243a5578bef9fd9659fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
298e04324d7d77788cb138bb3ec03f84

SHA1
cc22e3772b3f7523ce09a18beabc5711e7c27994

SHA256
bc7efc727e42e8e9fdc5c3b0551ff2ca7256de4196efde2da341536d9559d46d

SHA512
294cc2778b98d4a46a0b12bd7a8e1ffac188e715eeca6975628b3ba7b9e4c81b1ca67d9ab68b937cd22483b61611560febe4b2efb7d332c584674b7cabf9137a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
72d6cb803c4a6145c39e032ee622dd20

SHA1
816d7d1355905cc9c7b8828ab28b047c9b5dccba

SHA256
2915704cc6de4fa91559cf585a75639ce4000d0e06d24fe92e60fa724f382be1

SHA512
3c4e68d94807b7bcecc8c9cae94fd6d1b60ac849780e42cdf0eefff60f00b198f304ec225e6f132515666f66a88bb301aafda54eeee162a3bbc7e4194ef7d829

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\klfclpfl.tmp

Filesize
637KB

MD5
2b6730c8a0f859fe6389e3c38670f8a7

SHA1
24b46ca2ee5bf3aaafa5cf98dcc3bd5cb6ef7400

SHA256
e146112a3d0c4230d1527a9c2321f6b48da23289bc93d6739566dcac04925cf5

SHA512
60bfd02198f29084fb21912e58147e334a1e69d18914ab4da0dcb0bf6a25f5032348c4fc99fb81f0c47e73f1a605e93a679b9b9dc07a1e1e9bdf2365ae7a6695

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
b6a35503f75ee2991a818c7de6953065

SHA1
7d19e3b4c303ddfc50b612134271653751754c83

SHA256
36d75adc5874e2f8e2b4a8d6c44e0fe1fe6c35d1b29a69ea26ff40ba2ec7c3d6

SHA512
4a0929f0eaef994ad85f3609ab0207fa8b0a8eb4acc67f61b70389f4a474febf16dffcf806bf7bf0c39f624c9932ee93c576179113068ed1cef6882e6255fc87

Download Submit
C:\Users\Admin\AppData\Local\ekrjrjll\agdopbqc.tmp

Filesize
625KB

MD5
528c2e9bad43160076cc8b69d8e3793f

SHA1
d54aaeced9cc87808bb0a39b8d7f2e07230a6381

SHA256
71e4541369c481815829db792911aeff01d9625af1fd889e9eed852377387601

SHA512
264af03f82a923146fc68c95ae74da15a63e2e6ace084e94640fff6ad03be9ef8113bac98eb5d0ec35b8ea79db83f0060f5e775d9cc7623cb92afa45fd98aaa1

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
7a57e48fdef5d41f75ed95b99a151958

SHA1
9b40004331867cd238f4d1177b4f0d7187c7491d

SHA256
35bd1e29f93c6e9dea5e3b3d0e593e17a64cde2382914f548a82131f4e2e34b6

SHA512
9d47116814dc7a0f082ce7c81b4a1f9f397e305c2504c38e487ec75630108e2912d8d12832ce85f62eeec27a16354bde7b2f18429dbbafd14958b07645c8d9e4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
aa98b28c25da96c4fb6c530b60658b3d

SHA1
21c92878c9efca04ad40ed6207b2c961ce52a8a0

SHA256
4a6dc275d367c20e3c0faa69a2ddad21a7bb8b6bf1008858743e8224761458a3

SHA512
3f21963aa4c2deca80d6d902c9582731a126efa576e564c64a8ec83746521b76f47a6f4230bbcedf4fffc00ff41c5f8d5c15ad7a47fd1b560232b2c59c035a2b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
4725ce5b6f8c6f2b24aaeadda8a85c35

SHA1
9c3ec12f8737d5cc01eb7812ad28cbf544721442

SHA256
071a70cc9821d05470df294e7f654b642b99f8182912060ee20deb09f7710c4c

SHA512
69cfb290b68d100f770288ec5613c84b470c880d316d995ae47f9e03e85e252c1e2de327b30ad49383ca5f9bcfe3d7d6a86c96830e8d9596bc832ecb9390b68a

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
a628a1352978674537e0c60457328ad4

SHA1
3901bdcb99fbd7550a71b512c3480214c1de9e07

SHA256
8ecca38fd04191bb1affa5cf5de82124379e03863db10541028595d5278b87b1

SHA512
3f85aea1cc016636b4f12735b3959cd9e639392c4d6c7813d6ec641dc7e85a6d0a5c130353d5d6d32bc575d40921ab4f98562ed49ca5c7af238c69865a32007a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
9502c87ef0f95116db6f3da2ab594fc2

SHA1
0fb6bb0113aa89078fb1ee3192acded6c96d4e39

SHA256
059d795dbfa743a6af0cf14bf9e3903c74aa05398f4c28cc93f9694359e30fab

SHA512
ed394ed2216d66ee31471a0fa58efa4baf3f2159f705b038ab82a766d93993e803b3eadbb09bfd5e50afaecec2b22edf629c809fadbac1f87e346fbb8c89f867

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
b1bbe33bffa5c776fd1bb70b6e3c45df

SHA1
b0ab6333717833f7186a4a0f6bc72f99f04e0857

SHA256
395ef9bf462b49c56bb310258799893b4bc3e831f354ae2851f09a12a64c6405

SHA512
aed67cd6fd484047c4527fe607cc79b4c9341d0bfad7972edfa6ec20e0a7fd897c24317a63cc4896ec443c73a186ab8e7b5786d985b9d31b3bf639da9d9e5403

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
ba0d1c84cf13792ec729b02439c5f996

SHA1
f7cb01fcb7ca7a6f587ef4659dff55614892ac39

SHA256
6e06d5298073810c1c7029cddace26c843b72fef4bb424779eca8fb0633a100e

SHA512
54ae233a0d2e7d23fd297588bef45605adccbc7f3af8f780369091fd05dee04ccf51198317d4dfba9d11e3c4f64c7efddd8c0372525f999b3af5d2dd8c6472d9

Download Submit
memory/856-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1336-50-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1336-48-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1748-49-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1748-47-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1748-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1748-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1748-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4244-57-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4244-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4244-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download