Overview

overview

10

Static

static

3

JaffaCakes...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9ecd412f605a3e0e5e659d3b4f8f01b4.exe

  • Size

    625KB

  • MD5

    9ecd412f605a3e0e5e659d3b4f8f01b4

  • SHA1

    aff493179d0ce163d58ad38a83f8ed8ac4a14d70

  • SHA256

    8c03c5e1a08e28b3e57c6d109739c452ce95c68703497681ed85de7ea82df6fe

  • SHA512

    ab78b29480199cd2bd3497f4d11138fb218f3c0fbbe416acb1e2b66c09642eadf055898004ad054316028395b38e1ddeff6f07eb5f975c54a48b4a9f67996a2b

  • SSDEEP

    12288:fVt+w8wyv/G66WoJMZZWj8E2wYRTrYYQKQ:Nt+w5yWDJoWj8hNV

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ecd412f605a3e0e5e659d3b4f8f01b4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ecd412f605a3e0e5e659d3b4f8f01b4.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1756
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1480
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1556
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4300
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4160
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4180
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2336
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4772
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      bb6fe4bf576b30dc13ac2314e95ccdc5

      SHA1

      e93db6e99bd8ffa098ba0bdac9ed1313f3fed3c7

      SHA256

      678d2986ce058ef5db14ee89d087530b5b0bfb3c861df9248250c21b7f2d493c

      SHA512

      193d706ce107ef694078df4d0174983e4e71629d287a3a42abfd6d1883fe55532cb5edfb4e38938a46b4550a33f051fe17584bfb06a349dc34aa41c54567f4af

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      b1fde5c39ebfa605e47e914e4d7b83b2

      SHA1

      9075556297ebe5064ad04b6a75da0b3ce0a2f600

      SHA256

      a1c9513f4e357aa3752f564029a92fad6f223829deb90c9cb4d09a94bc520d08

      SHA512

      95730ecca07ab1d62a7e6e5db209021b1d655a37cc81a318da3ed7acc18d3c7acf744cccbffe26642ef2b2717adc6315d7bb301c2c61efd03299df868b444ced

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      669b18d7e00cbdd7f86d401467dd1e79

      SHA1

      961ed652e5894b1b8972ad91f460164262d4a7dc

      SHA256

      e75f48a67738cc2eb4e106c027cc8e3fb304e7d3558a801f1fa1d54186645bab

      SHA512

      e16243deb9151a1711c6583ef6d1679d48d07c7c121a18d637e068d8518b6a81c530e5b61d2efd839c03bda278285cb312450859985c6dca9e6348cec60b27f1

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      a21cfa56a9b099ba4c8b3f8b76b8fd82

      SHA1

      b1de5924aa72ac8c6ae29c02f557e995f1e110a4

      SHA256

      a7e58fd22769a6fba63ccb069c7386e4f95b8459749be0fbd6353b3835b75f07

      SHA512

      45712055515aedcfd9670bbd629486233b762c0448d1a82ac034823fc3056b4ad172ea8e9d27703cdaf2953770751927ca6392bfb6ffe05416098634f1db8ef8

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      9abeb586bda66450d9dc0e6339196fcd

      SHA1

      8171e51662ebe745366bc3eb49de60ef9bb00802

      SHA256

      1ea217d23199121914fb7353a6b16890bb2c3227db7e6293c8adfb7176f99f97

      SHA512

      d10c74fa1169685e80b834eda619c7a13514733df5c9502e01300f738d82e91e00db8b007a4ecdffcee92a92bc922737af3ccbc16a6046d1f016491a19bb1368

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      c449c106910d57b5b809fe31d8a35cd7

      SHA1

      8c974573841306632ed0d2700e3c888acae870fe

      SHA256

      5eb07cbc130d1e53cf03a06e14deae0c3aca802337d21ca7e90a15b593096153

      SHA512

      1e9be9368c220f4b9993b1922561074f9d64090086ddc5bd1c0a7e9c7e3802db9398badbd7171022f72241a2866bfa17ba421f27fc2904d28be466174c9b8144

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      5365fa406d711393dedf28dc60176c7f

      SHA1

      7fca5f00ea549b4e6e8a142ca9ec5978a7bba207

      SHA256

      488fe34265f04a8de8bdc60c0853d4a5dee7b5d44654d0e11d8db4a5cd1bac15

      SHA512

      821052a0f9f7e477170b1d3a36821dd353dfba296f1763714a5ac4b07d3e97bb0c682730faca3d78e1490b4db0c83d8af669d3715053f457b1cd683ee80e22f3

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      ea45e01f605f327cf2772a9eb6f080bc

      SHA1

      afeea69e714810040bc3431f638691cdddbafee3

      SHA256

      317ee219c367fa6e8ac1fb91c8d8ff0433c7f83e0d4cda722d2d145ef24ebe13

      SHA512

      937d6a0ad3f0272a4dbb3b6f6ce315337653a61e317271484a4116c226fa58b2287f899ff03af8853664e156dbc87ef32e70c530a5bd6acc88a30ccb74632931

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      931d1981051faf0445def9733fbf532a

      SHA1

      89cd3ff3e627306237a550bc00c3907c4a6c2fe7

      SHA256

      ee61b0727c2a0523e8b0ead757d8847986d89a25d39bcdd3a6ea826fe88afb74

      SHA512

      2d945357a0bbdf510b202850456c0fb4294cce59a940ddfb827982d18da3e4c0b8d824a34c982b2c3c6be30639c32ef9cf2f9be49e2ad7c9d28177bad9756d11

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      84238632e65665af92c79837e40cf143

      SHA1

      b994c83ee6263b4f9264ce4adfcaff9c33ebcc7a

      SHA256

      4501c322e6dd5ec1710d8f8029ca9b0793b16fc1aa3c0c020ff8df448b7d73e5

      SHA512

      123db3415e4643620cdf12c695ba3ddefd95054f80ae68576cd74eade908795030644a98892b07b295dc812fda46694cc7c03b70d35d68bceb03a745a4132780

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      7c27b1f5e1632ab5ad7d1e84e0e69b0d

      SHA1

      33d1514fe23d5439429f66a39e7af0f0863ed8b6

      SHA256

      c55b660507cf3344ef4751e7873e7de5097aa4ce1d14db066ace043158dbb638

      SHA512

      7bf21f9532d2e07a687d42c0c7c13cc5bd33158eaf68fe86064061db79d3e219e87689831fc57577fa40e65a6168e3aadafdd2c7d3e09a6845dc85aa2960e50c

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\ggibochf.tmp
      Filesize

      637KB

      MD5

      518d60073667aaf7fb10f74fe692141e

      SHA1

      5b190eed0ee8e2477965888794e851a5a7eae9b1

      SHA256

      da51600a77eb2fca01582a1f5991231f25c4b5229d1699fe9d09da072f346919

      SHA512

      74d68fa833e1101e77be3dde4263d5b9e94a908d6267163b6c139b7e8d7edf9a8e90ba1f0e1c0f6bcbbedfc9cb18b08b5d854522653fb26e688715576658c2ce

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      33af68089d289cf996e86a40818885bd

      SHA1

      6d3eed363eb0490186ad096fb95ff2ce18009af9

      SHA256

      603fd46a45ebd98c9ec811897d4d6fa4368970d6d23c44d65b71ce5e1798c855

      SHA512

      bb38685d17fb20b8da8dd52cd150cad5a005987e2810e2517a7bcd4c367922fda0c8ecaf856d02d01ddafa50a56c0371db6abc8606cc31bebf79a241b7631272

      Download Submit

    • C:\Users\Admin\AppData\Local\kbkknajm\lkpqcmbp.tmp
      Filesize

      625KB

      MD5

      955a5b61ec1847e06ddd539c9ecf396f

      SHA1

      28230096829beb859ba40daeeed0197c70af4b29

      SHA256

      24ecbf4b5d5a251c85c9bb8000bd477448348aa451bc4f97cc545506f3c2c6d9

      SHA512

      0be405292c40f6c3d0b13e72529c6a5cddcfe46f503ce53fd139ee670b8472b57721845f1df8e61a19e8943ee5c2a54ff1d9c2eaa529a89778740b9af376da8b

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      a093934ff89d81f1cb26c3d27d920da1

      SHA1

      f783153f4e98bebae92e0b65d07f5528cb1f5b2f

      SHA256

      fef254fe35d7975e5e2b98d309767daa39f9301a8238eed552000e99da001a2b

      SHA512

      d501a10f570770e03130f33a0807e93193e7d4e7355c9936a875103942ec7a30813a091c07572ce5befe05fce4c59b7db1cd38716985443be175a810f47e437d

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      eac68c0cc053ff062949c4285bd6eb43

      SHA1

      574cbf694175657c75d3b5ac1dfb91c1c3e20874

      SHA256

      c268560d55a1a8bfc80338aaac28f11e42d5adb7af55ea47f6717da1cb3ef45f

      SHA512

      8c520d6635e8e95ac09ceb69af2968a0c9eb9c0fde6e0ddb558333725242387ff9a5985f153d92107658ccfa448183a66555b4e17e9442a94dd00b3809f2858d

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      e47aa53c54ae2abde269a70ee8c4891c

      SHA1

      b60bace3f34932e7e5b617dfd14d724a4c87773a

      SHA256

      2b613191e3f383dfd28e5b7250216a2779b52a9360237931cc1599121954fb0d

      SHA512

      5d4f254da24ff39c7b376f4f7e8d56567c26a05c94e46abe188121522eb35f5936039af9a5191fcdd0b5109b15204cf33978d79fbc43b7b826e1bad66f333bd0

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      dedf3f0faef6006063c92a72b4bd7727

      SHA1

      db696aaad8fd8ef0467475b919c6272ba6adf3f0

      SHA256

      18747656b42e19d1c5f44f13dbd8574d36ccae4dc430091b1ccbb29f00cf2209

      SHA512

      f2b3e63830f77c03c2a0e3a572618a2f76f8134e7982642d082cbdda8b25ad5443d82b780dd413808433a1e6f4e8d4fe0badf7b3eff475728517b5ed28b8bca9

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      4a325f5b4d238465fbe9c8faa9ec2719

      SHA1

      53ef9a9d427317bc67a91abb242b4c96363788e0

      SHA256

      a3637993024348265a27818e876a805fe949f91db937095356e3052aa54e6ac8

      SHA512

      1a6287114a2cfbaca7ab1050de97b9a560260bd66232fc97c16434ea4461c5c4f18c02e96da249fe9e84772cef4e87d878a122c5292000390025e2997f420b0f

      Download Submit

    • C:\Windows\servicing\TrustedInstaller.exe
      Filesize

      193KB

      MD5

      805418acd5280e97074bdadca4d95195

      SHA1

      a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

      SHA256

      73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

      SHA512

      630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

      Download Submit

    • C:\Windows\system32\msiexec.exe
      Filesize

      463KB

      MD5

      b0a651967e353875e811f4a0bc8c887f

      SHA1

      8a4e7792f515bd333dbd70d6eb9a825a87ca5614

      SHA256

      7234377ed80bb8a2e9288ebd19474b32c40c0f15360e3060f8af637939121785

      SHA512

      7577d66479edacd79fa66e7b125039fd669a32175b2b0c2297990f30385d4038c9d5c6b3e393fe321f242ed9781cf45059c386c23635cafb8740ae51b60dc231

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      af364187afdd1681bc4dd906518ccbad

      SHA1

      7a9d7b37f529bda9a2f94269514f883405cf5353

      SHA256

      2eed26b0337f403bba5e10f71646162e9d19f164b5639ea5a53b49a1ec1bbf80

      SHA512

      ee80a11826376c7f058d07f886a9d84489a43f0ea9b4be73579124c2ede9f17e2e3b359d6392229442dd6f04def5550d03aea7ff782bb3e7fc60792c377a4101

      Download Submit

    • memory/1480-65-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1480-63-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1480-23-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1556-40-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1556-80-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1756-48-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1756-0-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1756-56-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1756-3-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1756-1-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2248-47-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2248-49-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download