Overview

overview

10

Static

static

3

JaffaCakes...32.exe

windows7-x64

10

JaffaCakes...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_98a45327660379241334212650e4d832.exe

  • Size

    406KB

  • MD5

    98a45327660379241334212650e4d832

  • SHA1

    10b394bc2da0d74b8d13bac6c33c2bf3662a5fa4

  • SHA256

    5868296f7757e0dc11eaa223424b8f5293799314cfa4f56ed94d21490b61ff25

  • SHA512

    3e6671888143e6518d289c5f0a7b6c77d80192ef2587adab5e2f26e5d9780cf3e3247f35daa0e314d688f4039c65c3e04eb9b40355a93e45279ee22bc706478a

  • SSDEEP

    6144:CIzfx0tsmxGjd9suGjgIDhAJSbnVrw8/LppZ2oqIqOEhspJ:dfqOwGTlWjN0Qrw62obqap

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a45327660379241334212650e4d832.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a45327660379241334212650e4d832.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2684
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4068
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2092
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4372
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:556
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4216
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4188
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3772
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:872
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:1876
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      e165eaf14589e5af9341cce0ce8cd83c

      SHA1

      dcc5c2b5931b35d03216b1395244dd3756b25867

      SHA256

      503dc5e690082435a87b13d6a768ec439f3ec5a65072811bf3654519cac9ad48

      SHA512

      8479dc82277796dbf27d3aced6559f8b873a6f60fd23e56ac89208fd1be937f98c139ce862b0dd641d97e5ec9fc4bfc8358a72909d11a75e90dec406e827b5ce

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      82da10f7abeee698f909259641f7293a

      SHA1

      e32cb0c978a47dcf18d87b8e844d229201cc9fc3

      SHA256

      48497ad4df607b5d89661d4803f4ac12c7f888e5f7a665e33add1426fdda3eca

      SHA512

      9935924fe8b7cc7bd11fc7c64af0ee5cf80dafdf213fa8b95194f6e1fb52a0bbf04e0dfc8cac2c3a6dba9aa48eb5084bc4b50082d5f1e3b68329a57029f75b90

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      ca5e5dda96fe4ed064da9c49c56e5680

      SHA1

      fddbb6f1582facb32a338713a241ca48bab7e0ec

      SHA256

      eacbde9c378be5bddf1189b3a62d4e7966b600352968e3846c25c56281726258

      SHA512

      723951e6b0281077580da1c6c22ee2517d2de068f52f492e88c27f2e320a6ab797ad09820e96b4dc23ea998db9c9e518fbd14bf4202c5e49788ec8b5f911f48e

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      16d31f9bb74c91f466f6e81cf5776469

      SHA1

      7dedda6712ce9baf354bf1b951aa73bb29022f7d

      SHA256

      55212a1a5132251aa8e3e69da777febe589963e1e5e886c2126a10ee0320cc36

      SHA512

      9d14ce87dce3e7bf37c0a7d6d45865d8f395de0e955efb5de9d4f61de4dcf13d81e6b9ff2903d10aab9f27c536851aafd1a43d4575bc77cd03d69ac1b5d44d3c

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      013dc3d50fa72879bc99698290f2929c

      SHA1

      91a571248394eb2543549b0fc58f5c49b74cfb35

      SHA256

      aa279a56faba50ee2daa632ba1b2d711f12626523dbb9d00e3b4c9631ab4a432

      SHA512

      7b920689df478af2b4bc2fdb99ef9531f40bd2854eef7e926858ef7577e72406cd20aa192746b71cb54933aeb0ea5edb6998c8325c753fcd40a75b39a12424d3

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      01fa00bc50c034b0c97a55f7e46027df

      SHA1

      f025cb2e66f13dc1cebd803f0ce6d7bf4e06fb04

      SHA256

      b688cd261bd009af1f1a232ff6e7e4f28afe53ef0febc0d9280b3a286e1c2a55

      SHA512

      131871d0543dbd4f87d10b2250786fdef82478bba3e769ef6bf7bbb76a5f8ff251b523f484eb57832ba847f0e09225edfa427ac19c60d0d6b24ac953cd731499

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      ac9110b7d7e43e850fd04330583c974c

      SHA1

      b6b6050d970be89ef017caa55cd28ccd7a9ebf78

      SHA256

      38f0f8dd8a93e0b42bea3374480faacd1a522527c24974c9b34435b3432966cf

      SHA512

      3e424c6de48367c88c78cf8acf02ba226099a1b45a3de1e63a40342c7c5a7ee8db362007d5a5136a4570557d30154322f5949ff2c6999a7baa919770d07d8d47

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      e1d41284b7546bae1997955b5719d2ee

      SHA1

      1302958598dcbed9cbcbbea63d1d1ae0f2661820

      SHA256

      ad0ea8ddd2e020a347aeb251533bbd2f00a3c8392c60316a1ce393a07a57b214

      SHA512

      b855f25c8fc31da391cfede15876d71ade520cfff1c60aa911ca2e613ec2d01a1ef6c369d585645c98ce5aa77990659e97d195a52b9c22c0b8db96ec9fb77a26

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      7486cc5c8778615c315eaa1c3a9cf9b4

      SHA1

      7829ec577a9e66da2270eced4d1efb58869926c3

      SHA256

      d753b46f49baa9f300b899b1d79a059d861e0aced75b6bd9ebb99a9ead2e1e53

      SHA512

      e42357ca04d983f4601f55ca46c7b5ef0f2151d3f7085b4e406431bd7d49e586039d4e0be795fb7c55b5dbe3c1c5b6b411389a519152d11aad3a52bf368066dc

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      32a877bb94f8ce3817fbb7c4a4101762

      SHA1

      28925d36b54c43102ea0fe38838820ee3ccd1f31

      SHA256

      75887e48e95d25a2c2e497b6e404dabbcd33aa1cecd16e3c7fa06ac209fd657a

      SHA512

      a5a23d9fa0653a28a2d03675daab3188d26cf25f92161c98612eb3a16ecf3f78d910f8f6b8f9c17fabcd4ce3cda5663568b01653750e48761006a43cf0dd3723

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      9c7302667aadbfdd0c5537e4f1d388bd

      SHA1

      d67653a73b0644567a129d3c352b8b690743b452

      SHA256

      ef84c10b16b27c4826255907cf003a9b0207a43f35a6629514d4dc8d63ace694

      SHA512

      25f49b1f1d8702c7dc7d45727259a0829f3092f54c70097c618541ced0546be4713f369647fc7f9f4d16c4c5387e66b08e55bd2e88660bb92a61ddf3be915194

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      637KB

      MD5

      07ea81a947a54afabdffecd3d58c9ba8

      SHA1

      e150621c5efd92d5f0978c91f9ddc50c84bba895

      SHA256

      4280f2aff54c3471b8266272a90bcaa3687ce58a71a7605dd075d9453c9b3cca

      SHA512

      a5142434ee3c4c80ccf4cd877ef7d07f59316a99cc89abc2771166f4271f18d73ab4cc3c3177c996d47dc2a2717dac83846a45a83c06e568bc85becadb1dffe8

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      62d3def4639bdde0a749108dbf302e6b

      SHA1

      44761f67a4784c2d961a1d2957225da5b580a717

      SHA256

      e2410fe1cee1895648755200d8b5e8364e2831e6473ff13f3058e3446035f3c5

      SHA512

      60acf4a2580075ae51c51c3064ae6bf0a46e8ccd103f1dbf9755449f95e999b3df91faf7fd9227942303d424187dc18262c17251b03706a3e89d30d94813c817

      Download Submit

    • C:\Users\Admin\AppData\Local\nmfpfpck\pbgklbbq.tmp
      Filesize

      625KB

      MD5

      e71d736c08d02ad6dfd2f0d5ac080c64

      SHA1

      0987398f947b8ae5efb613b6f996dc31c6ace83a

      SHA256

      90ba575ee86d8c2bcc683260b648af2f03bd279a94c1215d65123852b62ee760

      SHA512

      d8a76f821b02aa47766324ec1a2c042e0869d892a337af05a55fa200170c0847edb3edec93ba320710bd020a311d365912a79d988f940dd1051ee2cc98b903b3

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      e8977a2316cb754d5265732f8481fd05

      SHA1

      9d1e4202f967800b48daaf43eb4a9f14b3442dc5

      SHA256

      7936cd9e007c31e1879a66c3a47a3265344741f1a6f7ba9af7b5e38883f0e32c

      SHA512

      64bf41125c82f100ebb8d1a9130a53f41ac5800f45273c14ab0a0c25c53a1f8355f937d6cf79adeba9ddf5af6229cb337fa7c5a1669fb6cb67685978d711bb7d

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      f0e74ca48872aa5ab76ee27bf184f6ce

      SHA1

      12efd14295c7b28f01a4680bb757c141ed70386d

      SHA256

      fee89ea896a8fd74772a2ac13577d0b0e4456cab0cfb8f216d4115246e009f07

      SHA512

      79b9a75003fcb8f0212a43884d221a5a64c99739a68f775205753e54858ac906b9d44c0ca8bb54dee3d5b721b5ccee4c8d50756a65815b85fb8856bec54f7c03

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      fd00eece1990398a2f2c91346bd3bfaa

      SHA1

      e4b2f029fdb7091089276b8887c5140147ed1d2f

      SHA256

      619b2af450d4f95393abbf9b68f21c24f38c0f91770dd38d208d975247d98b53

      SHA512

      809875fd497d8f0755748f0366b0d354a18e6ae3d0111160e16114981c540b1df145226a5a20ac5b2233198a25a0324ec9b137f2e13e58edb8ccaf1d07f69fcb

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      2cebedad82552fdfe90652f43acb142a

      SHA1

      1680e244e89441337797e0f11c5aabe2aa1d4c76

      SHA256

      172f9e9422b26a3f321b71f2b84fee68eea450fcddf9f481740677f52d658a64

      SHA512

      77d71a7f8769ddc6c175bdad6259f315069b827a2c4b15ed6aeeb1ce2aaa8696e15a87a12534f3ae8e4179a8449da8486372865e8578685e5a033769d3a16e43

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      973a45bc70c4d05f7cc66dd9784ffa18

      SHA1

      b81442506465bed2bc63ffb1301415a9013b59fb

      SHA256

      50c5ef6530bffe5fd23a324a35cb0f36dc0b6c4eb3b354055e7f1e10361c5a53

      SHA512

      4550607b45dc0ea150902e2b95b37368c37043eb6d2a2d5cf3b0f5a34f72de5f94be6e4c95ac7ce60eb52fc1bb28715e5e96f211654865723646ef4bb3744833

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      9acd498e3b92dfb21bcbfd4ebfeea25f

      SHA1

      a4a8f80e3829bdca34ed063842e103d9b2105cd9

      SHA256

      1433ea0e0d0d5162af81427b611f5beb9e0b3d90e8a53d60a9d0f433a6b7ab4d

      SHA512

      b8240d0a051d3ba4bd4740a1a55d31769aaade86e54f17d4f5f50a9f34e831d790fd26255f32a91a16d6658b093d14539f3e5a43fb233f0671ff3c1cc537108e

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      e7049a43d3a0505a1b7af8d5d3b2fb1b

      SHA1

      d4247cf176219b24cb59e09af69b7786bb4b8303

      SHA256

      37ef47b5edfe15f9c600b2fdf911a37e36f5d0cfd96000ddbf22b6aeaee955be

      SHA512

      7a472ed21e8ee026ac7852fe6239e1d407e817d3dae5c384f92b35473c02cef18efd909d7b91e43f72c35d05a0f7f6a0e281dd1db5b49518a3bba46a48d84a3d

      Download Submit

    • memory/2092-58-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2684-0-0x000000000097A000-0x0000000000A0D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2684-5-0x0000000000910000-0x0000000000A0D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/2684-4-0x0000000000910000-0x0000000000A0D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/2684-2-0x000000000097A000-0x0000000000A0D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2684-1-0x0000000000910000-0x0000000000A0D000-memory.dmp

      Filesize

      1012KB

      Download