expiro | f9e6aca558b24c4b2a16b278f47230b690d7470ecd0744def8b9a9a55f9936f7

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_96f0f4d1b7bd0c6b437b767ab163c214.exe
Size

626KB
MD5

96f0f4d1b7bd0c6b437b767ab163c214
SHA1

9490e88cac121f9957d25d9ddba482986165f7df
SHA256

f9e6aca558b24c4b2a16b278f47230b690d7470ecd0744def8b9a9a55f9936f7
SHA512

60b5f906aafcff26b7964bd41d9fc4d9c6b758c6d6f7da1f0b6fe7b1ee392485dc7825237736098c726bc17271bb52116b17b540f936d5efe1346090648d996b
SSDEEP

12288:GbDVP4WA10GpzCd4jNOGiirOeCUncfF2v9rjpthyr6qKGc4sBOnxX:2RwWA10GpzliirUUngFs1j3hyWWcC

Score

10^/10

expiro backdoor discovery

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 6 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000C6C000-0x0000000000D00000-memory.dmp	family_expiro1
behavioral1/memory/2092-1-0x0000000000BB0000-0x0000000000D00000-memory.dmp	family_expiro1
behavioral1/memory/2092-2-0x0000000000BB0000-0x0000000000D00000-memory.dmp	family_expiro1
behavioral1/memory/2092-4-0x0000000000BB0000-0x0000000000D00000-memory.dmp	family_expiro1
behavioral1/memory/2092-5-0x0000000000C6C000-0x0000000000D00000-memory.dmp	family_expiro1
behavioral1/memory/2092-6-0x0000000000BB0000-0x0000000000D00000-memory.dmp	family_expiro1

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	2092	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_96f0f4d1b7bd0c6b437b767ab163c214.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2092	JaffaCakes118_96f0f4d1b7bd0c6b437b767ab163c214.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96f0f4d1b7bd0c6b437b767ab163c214.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96f0f4d1b7bd0c6b437b767ab163c214.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 220
  2⤵
  - Program crash
  PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2092 -ip 2092
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000000C6C000-0x0000000000D00000-memory.dmp

Filesize
592KB

Download
memory/2092-1-0x0000000000BB0000-0x0000000000D00000-memory.dmp

Filesize
1.3MB

Download
memory/2092-2-0x0000000000BB0000-0x0000000000D00000-memory.dmp

Filesize
1.3MB

Download
memory/2092-4-0x0000000000BB0000-0x0000000000D00000-memory.dmp

Filesize
1.3MB

Download
memory/2092-5-0x0000000000C6C000-0x0000000000D00000-memory.dmp

Filesize
592KB

Download
memory/2092-6-0x0000000000BB0000-0x0000000000D00000-memory.dmp

Filesize
1.3MB

Download