expiro | 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
Size

625KB
MD5

90180f284c1a5dc94ac94cae1dbdbfcc
SHA1

dbeb50c4cf66722a01bc391c225bb930354a3fc4
SHA256

39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf
SHA512

4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04
SSDEEP

12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2452-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/2452-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/2452-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/2452-48-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/2452-56-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
4824	alg.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
2648	fxssvc.exe
3048	elevation_service.exe
3756	elevation_service.exe
3576	maintenanceservice.exe
2512	msdtc.exe
3140	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\N:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\S:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\T:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\P:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\J:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\L:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\O:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\X:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\R:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\W:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\Y:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\Q:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\V:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\Z:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\K:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\M:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened (read-only)	\??\U:	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\pibjicjj.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\SysWOW64\oodcjokl.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\jlcmcbkm.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\fdpblqgh.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\SysWOW64\fgjlehhf.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\wbem\ghgiapje.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\fiokejik.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\ocecjljb.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File created	\??\c:\windows\system32\epabmkjo.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\ogelichg.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\openssh\ohibibhd.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\diagsvcs\qdeqbeco.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\iplebdlk.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\omhljmfl.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\afilkoqd.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	\??\c:\windows\SysWOW64\jpgmdnon.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	\??\c:\windows\system32\perceptionsimulation\agcomqcb.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\papfoeie.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe
4824	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2452	JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
Token: SeAuditPrivilege	2648	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4824	alg.exe
Token: SeSecurityPrivilege	3140	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90180f284c1a5dc94ac94cae1dbdbfcc.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4824

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
77d53877e38e840faeee1819e7c63313

SHA1
a65fd6f0059e26814100fa4e5d4ec9c85b6fe749

SHA256
1dc1f663c69244891642b67186c8484577a66d7cce69d30779961699279756c8

SHA512
85338e1e134040a428e3a0d63999389f24aef5035dbe6f9278cfe5231116c8c26f941fc469d06d48e85d9dcd7ccb088d3765ec563b79557f13fd5a8b44fcfbf6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
eb94b33d513ee796fde52a364862a6f7

SHA1
5e1f46fef2e713c92497cddd67668beead70cdbc

SHA256
7aeae57677d9077046727cba578ec84ce6a410b2a9ec68c948b3940fc2de0228

SHA512
7697f068b01c3b98a85c5680332b1a2cb083882d2fd6a06b02da4dbe58d0ffec5ef9512e7ebc6d70c073847467a3eabd5024d57efb369acbf21c4c97954c2127

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
d37b4746a153abe6008218dec220f462

SHA1
a473b1701862c1c79207d7bb39291f3e37ce0db6

SHA256
592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7

SHA512
5d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
ae644316de57b0c8bf380100fdf6201b

SHA1
8e0ed2070e0a948993a6a80a58d5ad2913430d06

SHA256
e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651

SHA512
d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
cf4b2a7fec07e59a61682fda102494a9

SHA1
8888ac4294f0e4299df1453aa02928261dd597dd

SHA256
3b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868

SHA512
69f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
4e3d1b52c0977001b717300355b600cf

SHA1
e3615160362af023a082b00f68ae9981437cea10

SHA256
f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f

SHA512
855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
ebaf6ab801a8bec40079f34477886c85

SHA1
36eea4c2c5bbb26327f4ec0f4c0c05831f167134

SHA256
59742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011

SHA512
eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
29d58cfec058511f5c97e5342d8aac13

SHA1
e8bfce0354a518e444c2397abe4700855515b676

SHA256
a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691

SHA512
ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
b95a3115be79e0a681e206df9d2a70f0

SHA1
646946a39585c2f6b2234edd60dcc8e2fcf512d8

SHA256
9661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a

SHA512
5081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
a14df0b641a9d2b9941d492749fa4744

SHA1
a126c239d21f0478ff61a601039faa868e1d4a04

SHA256
c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd

SHA512
b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
cd98bf3cf0569b3979037e8460f89245

SHA1
9ef80255655214f32685c42aefa33c39737237cd

SHA256
ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9

SHA512
0760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\hmbigdcm.tmp

Filesize
637KB

MD5
34df14bae73bac0de1928fb08e9578ae

SHA1
b78d72b861bf547dd79f016bd2b1cbf897ac0110

SHA256
e57e199f288087321734ad8ecfda340f869a346a2c6eb6a462ba478e34b0a518

SHA512
67fb8153e418612fee1b8eff6a26c20c9d0de4e45e62275a1028871032cafeb0eed709f391d8eedd8eea6de13d9eac5f05ab73408cdeeb8cb1ac1ba28ef784e5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
fe43823d6d00ff7e54fa22860617b004

SHA1
01842be08cb504e1307f0e4a968504244a88b185

SHA256
53b0cc022af5e0c778284a758f819ea93d489f7cb7970a6248150164c9169296

SHA512
1a33dc4e47a12bea21062d6556b967706951a5b63ab8eaa782de4917b4e05d9ac185b5edeeba0f5998c5c48c24c67cbdb7d82931d414e78531ecccbeba1f584a

Download Submit
C:\Users\Admin\AppData\Local\imrokafo\obheadil.tmp

Filesize
625KB

MD5
625953d27034c2a3540caa8ba36586fd

SHA1
50c0a0be69ab32488d266c38add0558ad0bbdc14

SHA256
28b02d73a3ef4c399e0f8b8adec67a75cf8e9ca685347509cb2a34c0d8185d02

SHA512
3a068ce4fe61e1b745943cd9264e91a54dcf4b349cb8ed23ff706681d49dca22d803d848b91688a1144ec73c4649c830515c37396d803003d46e210408968a54

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
72dcfaf69b9008984f0b2de0725bb19b

SHA1
03e84f8b767a3ef04446d771cfe77384efcb9f75

SHA256
cde86cd2619817d58d20d5452c2c0471b9e6ff3b05b7fbbf4920c785ee1fdd0b

SHA512
da3c207b192b9d8df4b8e727987bcfd250ceee87afa584d7a4105fec2bdec652c39911949c32ff5454d44a4a58cec86a549fb28d3ef6b3366c36df63e210509f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
d94d8981cf803267f33d8659a4bc04c5

SHA1
3e0a8924b34427a5126ce963260e8dfaa8ddf79e

SHA256
d2e63557cfa9957aaa7002d8a94954fafa0ea975769f0a115e4142c043043952

SHA512
32e554f65110bc1eb8051d711cb99bc78dd1836ffdd79a2d7a1e151e4cd5fe1f9fc452fb07cb30d96520de0e351921fe6c80517e9d2b50c2e857715f37cee732

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
d306f8423bccc8ffe58e5c85f2f8e5b3

SHA1
cca286a449aa13abef5bbe5c4168f7c3d856d0f1

SHA256
8cab5b036cfeba16b4daa11f5ef79fd23204455a144876b2cff7d0cc181e70df

SHA512
df2ed51ff70cd9dc13142e224388b951f394f0624d0dee397854896175030d8fa8baffdc15c59585e3c8ffaf4549eb0ed2fe13100cfc29eee02db3b7cc8546ab

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
cc5c868ca834314585833aa0c7a156ba

SHA1
42abc562d0bb8a66b1742edec9d9632a1d486a57

SHA256
ca60834deef833a1df04e6ccc362c4c53c0ac57ebc66bd9560e9f6dc29fc8972

SHA512
946acd8c10413972d0553e2c5a1f70d2a4b72a8e3b4cb7e2b48d37a1ae9b69a2c4174727358d4cb32d40314096f6744f5b49e63437bd710bc2833c07038a2a0e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
2c501a825e71dba065ca87ebcd89fa4e

SHA1
2c9c5cbcedd0a9650ba5e8359405a6b244a9dbbc

SHA256
7ed7975b3af95d406f033e725ce5ba2e5442c931b52a93894dad8b5295f4bee3

SHA512
4a1eaa194022df4032bd964ead7dc160d14dffcad9fe063278a7cb82f712df9cfbd5d137ea8ce600985e20e2acb3229b5f743db1eb2efc4f748cafa5d9cd529d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
2da123cbc04f904f461f116c2577a2d6

SHA1
814ede8560b255893e840f03a681a9fef8c7c23a

SHA256
d553b89776fea4ab81345c6c8bfd39baebd52dd89c9ec37462bb1612cef61083

SHA512
a8f23f8853ae3c8dbc21dbb23a5cda39704785a43b765b17dea5c35415b089bed2aab5a79a71632936fe9148410aece9f6f881567e50f19457435fb17bdfa46a

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
2f1f3d3d4f802960be71fa9a09ad5a4c

SHA1
8e3bf81f5e7cab0dedc11e6eb2795f2ea5ffc4bb

SHA256
5a4809ce983ef792dd8f1f6a3b70a275df440dea1e63963923c58aa1b45fd725

SHA512
500c694196f03fa94ae1ecdd06effd69a7e94a73ea7f29312629d67e59a3f511f6af28f980fb1bf03ea728133330946a3aec4b2dd5f559a34ff802cd93f74c11

Download Submit
memory/1136-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1136-86-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2452-48-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/2452-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/2452-56-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2452-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2452-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2648-49-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2648-47-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4824-65-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4824-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4824-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download