expiro | 5f2ea26e9e83ec7f5a1ab68a36c519dd88ec22af49a188ca056b85c0fd7ba5af

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
Size

625KB
MD5

9b6aa967050c2117938265bcb30896b3
SHA1

08a5525da893c3a8ea325761f926d8038db2072b
SHA256

5f2ea26e9e83ec7f5a1ab68a36c519dd88ec22af49a188ca056b85c0fd7ba5af
SHA512

e2b69e21942c16e6e3ce610634d3696368c445e168197e8752ff95587b4d5aea10480696a084b428fb524d0bb7cb1138c24e4073c8766f2eb25bd55d7fbc984f
SSDEEP

12288:TVt+w8wyv//66WoJMH4xBLc8A5N2m2gxRFTLxT4NH:5t+w5yvDJs8JtMHxT

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/4336-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4336-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4336-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4336-48-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4336-56-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
2136	alg.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4484	fxssvc.exe
5012	elevation_service.exe
1524	elevation_service.exe
2900	maintenanceservice.exe
2268	msdtc.exe
1256	msiexec.exe
4440	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\T:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\V:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\U:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\K:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\O:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\Q:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\R:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\X:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\W:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\I:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\Y:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\J:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\M:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\N:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\Z:	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened (read-only)	\??\N:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\inffmljj.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\bgongccl.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\jfcfljio.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File created	\??\c:\windows\system32\lehcobim.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\febjdeca.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File created	\??\c:\windows\system32\bbfhplhp.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\SysWOW64\ljkojdej.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File created	\??\c:\windows\SysWOW64\ampbeabj.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\aldflkgb.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\kgflojkm.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\nkdojich.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\bniponaa.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\SysWOW64\cfijpgid.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File created	\??\c:\windows\system32\fkibflei.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\ipefaojg.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\pcmdimga.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File created	\??\c:\windows\system32\cdbkdnao.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\pdkgaedq.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\system32\wbem\dcadpkbd.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dbcnbfel.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\jejjfale.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\niqgfdpn.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\nbhqlbkp.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	\??\c:\windows\servicing\lnoikami.tmp	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe
2136	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4336	JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
Token: SeAuditPrivilege	4484	fxssvc.exe
Token: SeTakeOwnershipPrivilege	2136	alg.exe
Token: SeSecurityPrivilege	1256	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b6aa967050c2117938265bcb30896b3.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2136

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3896

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
484dbf749d1aaf0f2fd4cd5d0185fc97

SHA1
47d71d60112d0ee1c25346df90085fa767c441b2

SHA256
6f6dc80790a97f3d53a35c2b1dad305a93eee980407eccb834cd104ed5da11bb

SHA512
e6c4c261354f59f2311c81e1ad0aa368324e1ef8e06fdf93396b216253a1e4b3543fae0698f8a4a123a3ba6d5e8626fa20c2efbcb418e7be044f6d2e8ba30e6c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
9dda5d0a94a3cd0794e35b4fa19a299f

SHA1
a609436c93386adf6007757b8b7a9f3d8be579a3

SHA256
b69bbd636edc79b79cb4298aa016510daadfd8cfa5a898b1052e42ae24b7e14f

SHA512
29f89b12c169178db2c8e7ec3156ee9f5194742b91edb4f5af2fe1fd009c48096acaa0f66ace5d7dadf7decfec1a2a7425754f450f312b5a907dfbe8c24d7cde

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
b64a83ec28a6b2aeed897b1118ea0f6f

SHA1
1074978b8e7352091e5ebbf2e44c6281f135b472

SHA256
ae43783e27553a1ee700c582e4e60dd811614949fd43a84ad9aea4159da123d5

SHA512
7aa51edce36103ada5d3c7ffd3c87b258f07227aa4449d48faa08d2bab6525db9f58d0536dcea3629ccb1a0e6d8440fc71eac4e23625b3cdd7d8e8da5773fe2d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
a5a120b692f4a626b1acc29a7c0b2951

SHA1
062356f99a8eedd7371ba5dbf7d817b03bffb925

SHA256
68211f934e05857ebb4a7b02bb6072ab4457fabe2b53f07eb899c0ed4ee1c5dd

SHA512
4628116695e2f64df791c5f5b8f520c9a64796be3a01e41dc2cc190687fc0fc9f9ffa41f1f8765abef261ea9fa11ff07ba1b3c3588d4ac0bf0f5c33fb024e9ef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
3d1daba122c86760004e1f5aae6fad4e

SHA1
64f39879b67a04ad62f64c1e23b5b408be435b4b

SHA256
71337de41e3f61c37ccf16069aa081b9dfce442b98c7134191e4634857aebc7d

SHA512
790741c3a8ffeb5582af04dbdde99fb50dd084413bc4fd54bad8f356325154959c35af31d225eb73025ffcb4b0223036e1966a901bf295dba486e863330205bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
926f47b2683f80723452f10cb3ed5137

SHA1
1386a39c1ae03bff2a70931f875faa1e5a654d2d

SHA256
daf6bfa92a192daa4de21f3cb0bd252ca8f92cea9a1106d23921a97bb13941c0

SHA512
71d3e07626f675b73a205d00d14e8466891cc95a43cbbf439b89237da0d402234759047817725e238d5ed2a5d9aa819d5b2cda580c1bb2b91af1a8687c6a213a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
d2b9f09fabc51fabbf736fb47af2f44b

SHA1
c1cc64f7664aa2edb56ecf991d229ea621d0ef75

SHA256
35c6776945eac579ae82d6816647b56f9e9140be7ded300a953eb80f6f2a41cc

SHA512
afec695aba93335bfd8a232782725c2c6a96e2862509bceb1c9b909fcaf29e75b3d4e00342d98952774caa7b2113bd84f1472c11017cacf703c6b5f87ca83fcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
189da139c5bddcd93b1e739f9bd36811

SHA1
1544c85c340e961df687c5656371af0b98d66a4f

SHA256
235bed7ad70d047645d2e7c120cac46bb744b2fa20c3441efc9927a89f826905

SHA512
527d99afdfdde67ddfdd149725216d8a3ae905ca568c69f0c032c3a84dc3e2a541ff7537553f0c245cd5983f8147aec05e370b5abed68b84512f6319e8355bd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
7f4ab22e254f4efa51651e9232a77f07

SHA1
cbb91ecd1d4fb0be2eb039d1bfee08d392da8dec

SHA256
a6c455dc05f7a89dcdc27be6b642ffe0516bcfeeb173cdae326dc948d063b7f3

SHA512
b7f7b20b1df961e340b0cfaf5e7f1c7381a220790a5ab52bc2548ac399f4327089b06d8d85df453feeee487363cf1c020249d317c8dd0a67c7d0d7c6cbfab58c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
ae6f645036e059635841fb54cbb40ad7

SHA1
71fa63fcc6e955bd2a59bc0de8d72db85f7cf2db

SHA256
974ebcdb13b49d8176efab0cfa17ef41941553a458e389cd1cdc8d105e5ad81d

SHA512
3b13abf57a266d98f0380dbae0da2f7d4413a891c6745f9f18eba6da1d971719939151aceb84649a133fab03f3f6fa7c9e94b7e7fb5f2463ea06452eff25f4d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
c1a5c3c606a396516f4e0d20edbb396b

SHA1
ed9d00c2066074dd5c14db9561edf048a7402284

SHA256
1c81c24995a3bcad7846441d26fc2f10c728d4999b6cec4ee52e47cc2bea5845

SHA512
9272fea3269ea34d088469c82be21d00ebba55be63bd8e9a57e2f2989f4ddc88b232dd035182672d460d273d8c2fdc3b81dcca845b0f3eb75771cf83b4d7066d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\jejjfale.tmp

Filesize
637KB

MD5
552f5c40481f69cab7213e7fd8bc0122

SHA1
cc91942e1fd725a277512fe240ff7fb08f0e41a1

SHA256
9f69a8c4a1027a55f9ad95e9c942e659f1661c315d3a5e277937feff8e62c569

SHA512
8fc6f25b4e9e57add985556cae16a33a7900f7f6c9449bcc884ff8f8c7f3de18e9e65c391c7d22a2d4a5b90f3e53481699fb0ff2b1d37eee549a975f08a42b16

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
61054b8611ae4757c80a8cb6aa0bbd9f

SHA1
0f398ac52f0bdc9686ffa22c26d2477540148d76

SHA256
9cb8628b51873bdc1e31b30e33dfb1417b5fc80fef810e3c792e4bd81bae99a4

SHA512
4c8b094808986dbefc6feccb391dbf15d9318ca7233402ca862fef0e26d2714978b882a3ec0296b287e58e77e5a5c59c0fb524c904fd86aed59838b2298e9e62

Download Submit
C:\Users\Admin\AppData\Local\eoeadkcd\djbenmni.tmp

Filesize
625KB

MD5
0fd9ca060b61e10bdbd63c94aec43456

SHA1
5b605c08485a41f9d01286fb7927d35119857394

SHA256
932f837b5837c86a7af403b9601add97b59c4f6d5e3f16755c688fab41f7f819

SHA512
72bd4eee89977cb0bc53764c5dc15f6a61a90f47b97570ac5a70600e2c23503487b66ac1711cb901314652b9b1a34162299a45f7568f28a1d1eb61091a9488f6

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
bd8844a8c9b087e01e0e63ca34c334e2

SHA1
4ff44b17c899cff764077a240f1627a533a5f351

SHA256
a8b938aed3249fe42c277feecdbf36df71decdb7d24abc18a031a03a56a618f1

SHA512
d1d75b9346d435f91d8b5731e5464fb665269d20c5ca15181fd87c624efe41fb0c0a2b9c17c4b5b838d7da30447db25390867e3c3b3525980705352c469321b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
21b61609bde454593303a76972efbcd7

SHA1
36e884f1b98f622bf4f67c2b279c5fa89621b66f

SHA256
0cb2b6b48aa38736b53774e177b7882eda22ef6543d7daad40f8ff108f569428

SHA512
1b39a9cab458f4968fee9ab619860a66b4ffdc86dc5add15732c1cf4211cd329e5e48057df959a38c0b1e25c0f93e1c84bbc571c358e8446086d89df2d6d68b5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
ff9310d5432a127e872d4780eb702a79

SHA1
cf8c819fa5720faf16d9b464a4cca73408555764

SHA256
7c0f0fb85cdb49b11d031e01ff0392c6ff7a87fb8b72e65f347094dfcfab00a3

SHA512
d34ccdd23f5b887ad1d4f33a7691c8d8cfa83fc0ecc75f68156427742c26e81dc2204130f193551f428abd7e2de1ea701cd037f587c3188eb7e10e28e851584d

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
c48cf10cc1af7928c846b2c68f540072

SHA1
ce774efaad9d3b604dcd19f5050baf43d4aca455

SHA256
035795f5c50dbb55caf985ef5441c93599b824aa002e28c34ed3454d8ab73957

SHA512
6f3991524872f7f0f9dbfa716f8f650c0e40a05915a382f0225411b28acc14987d8b5dad3b14b5cbf628d890520e5b8176c86b4e5a8759942faf465ee77df9b9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
8c9d42fdb37a348d7aa7abe07c1ca1f2

SHA1
2283a81919ed956ebac9be311433a4a2d5316bd6

SHA256
4c7d0da9a00b5bf172d9b7e774a3f832cba35b9b5c4ff7119cf2a4edb5f71bb0

SHA512
34e72a205d1bb87b9549a6cd1ec83216ac3b6526178ee0401e6e010458c1f9539ce90d596f36b9d1629613b546790381e3663203f20a1fe6caa4796fe867dc39

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
36d3af5a7593988675ad87cac4a0e382

SHA1
016b703ca2415c589433c7775c411a29296ebb8e

SHA256
cdc771d678fdc39a487b5f087751f574a21d4be270f2a024c973b52e52fe9041

SHA512
4a10f6893d31a97cdfdad9f668209c42a903347c13247a06a69a284b8fa05785f908c2b3d45136b664556e0bb241e4a121ea3b8d3833e2d7e99643ec39c26299

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
f1d84be71c3d965a55cc0891594c26dc

SHA1
e112347b0b9886264a77ad5b73912affd37f526b

SHA256
cb6e8e1826f6ba95a2e3baa3bc086b05e63c85c58ce81eb21deaaebd9c93344b

SHA512
dbdee7d04cbf97872790a7ea807c61151b81c6ce103c73143439f8bfffbce44dad121d323dc26fc0454137495c3fa22e41b37f0a819cfd22a5a7fe982a6f0fe2

Download Submit
memory/2136-65-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/2136-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/2136-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4336-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4336-48-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4336-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4336-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4336-56-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4372-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4372-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4484-47-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-49-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download