expiro | f43f6816a7f41e45e2b822b6446ae70ee48b417e8d3399373d997dc226844022

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
Size

406KB
MD5

bccab3ec0142e2d6202a7ff742b9f974
SHA1

b1ec299f56e41819fc499ef803936dc006d76fc5
SHA256

f43f6816a7f41e45e2b822b6446ae70ee48b417e8d3399373d997dc226844022
SHA512

ffd33ec300dab8e924900250c62885b9b2a6291f931fadb8535cf65b08db9b4d0de05cdf2a333d795418f774270d144e87d1a3b898c7a9cef6385e0d1ccd17da
SSDEEP

6144:rIzfx0tsmxGjd9suGjSIDhAJSbnVrw8/LppZ2oqIqOEhspJ:SfqOwGTlW5N0Qrw62obqap

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral2/memory/1876-0-0x00000000000AA000-0x000000000013D000-memory.dmp	family_expiro1
behavioral2/memory/1876-1-0x0000000000040000-0x000000000013D000-memory.dmp	family_expiro1
behavioral2/memory/1876-2-0x00000000000AA000-0x000000000013D000-memory.dmp	family_expiro1
behavioral2/memory/1876-4-0x0000000000040000-0x000000000013D000-memory.dmp	family_expiro1
behavioral2/memory/1876-5-0x0000000000040000-0x000000000013D000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
3544	alg.exe
696	DiagnosticsHub.StandardCollector.Service.exe
1676	fxssvc.exe
1712	elevation_service.exe
3816	elevation_service.exe
408	maintenanceservice.exe
4132	msdtc.exe
1760	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2878641211-696417878-3864914810-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2878641211-696417878-3864914810-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\R:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\S:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\H:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\L:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\O:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\T:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\X:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\N:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\U:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\V:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Q:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\W:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\Z:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\J:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\K:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\M:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\P:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\Y:	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened (read-only)	\??\I:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\ljocdghl.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\afickcec.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\perceptionsimulation\foakqcie.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\nmjobeon.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\SysWOW64\bhmeembf.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\dnaihaol.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\jlmdhbjk.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\bpcjdcbl.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\SysWOW64\mpcpknpc.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\SysWOW64\nmgnlaig.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\gogaflbj.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\openssh\opioqomc.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\fnniolgh.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\fbmbikhq.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\system32\diagsvcs\ifegddao.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\windows\SysWOW64\lkdbdpkf.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\jjeamqbj.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\lfopokpl.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	\??\c:\program files\windows media player\lfijmbnp.tmp	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe
3544	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1876	JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
Token: SeAuditPrivilege	1676	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3544	alg.exe
Token: SeSecurityPrivilege	1760	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2956	OpenWith.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bccab3ec0142e2d6202a7ff742b9f974.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3544

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:408

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4132

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
eadce943d1b3d8c93a91956f1f80c785

SHA1
cd147868562b8f6ccad860fa9dfc6853db373798

SHA256
46e6ca3aacf62e3bf03ba930a563dc853fc33edea507591549e35aaa707d0709

SHA512
1196095faf5cc98b7def0c19ff6ecfbb61e8a1bb03a59e11319fba67db3fbf4a8c708b601654227d2e5e0871ce7ed320358de0bda6dbba44302a157907c49892

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
103f14ab67c58885ce0b38316ef0858c

SHA1
0d5a295a0d31a0b034537dfbc60a3370200e4944

SHA256
964fab5500f42ddd90a575c874e9b0e5922cb1cc650dfd0f013834b17ada229f

SHA512
72dc531ac91a238939ff5c786450e36396e8e6fe04cc614f64a60c6611808b8a0e8cada49a07eaee2ef7e7e1a42b7622339c2f584e541cf502320c4299fb77b4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
4aca01ed39d997e01db35a40d8a51aeb

SHA1
b63085bbd0ffc445a5c29be0bfa5b6e968f436e4

SHA256
e76342a5bc28307cce1c1dd2f3b91ad72470c75c9efdfdcc975683f8faf2f202

SHA512
3b336167353e02fdb93bdd110c2d7754ab195179fdaed9c560a90e19d9237a7eac858a6f37215a935fb7aaa91e413fe023bbcf7e44f32ee3b07addc959b658a6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
553c857ba14726c832e917f97f80e405

SHA1
3249528de653c5fe592d15460df2082bc735f58a

SHA256
3bc627d8bba3719239f7defa9d995b3b3e59389e489e8971b74650f162c1bc86

SHA512
212a26358741eda0dd70bb69708cf3b1764fa50a1c49af92c509b17dd7ec5d3676e9359fbe9174e3557c95d50d97496f25663131970902826d4a658a81e78ff1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
030fec4ab73f175e1aee553df2e41a7d

SHA1
efcd5677885c305f71a32d4377e15b86aa0e795c

SHA256
c603bed8bc47a19e249a4fa7fc80b0a27ac9b1dac60eff6b4b3aa31b71dd73cc

SHA512
fdf8b805b05b6eb4baf073d5ffb67050e4eef7dae6f3763a78abc6fcaa48ed48b985b61d3de0b14a42e711c78c1da8dbf4a10eb44f84c0ffba2c1cafdcb353f3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
9ba4869fdf6d76d55c83977a6ad32170

SHA1
cd9548fbd7953f32a5df5fe1c0db52aeb5980a10

SHA256
e813ba04c96853c2d980402a4e59a89d3a938ab1c468d3f2963d84bd107e8088

SHA512
674be5cbf058618cb02f5024fd6f79b4c6d5fad8e4d6114069740e0df71be059839cd0004b3d0f0c923b9f7e3169dd8e6c2102fbcdfff56222c3d7c2153cd759

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
82425d768c370cf442cc7c41a5b3a372

SHA1
ccc7380d9174eb8863fbd8fdead4f81d5b05de9c

SHA256
ba8c8027c58dc7b909bfe140a2194ea304fb2503e41f6b7f3c6b8d64b7a68c65

SHA512
ad05e5132904afa4d8f481aa4921c85570d375b299b6c808e072cf840e3ead2286106b615049e3200c35ec699744daf412018042474c96eb53e2ab136b3c30f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
fd60b1f82214c35d4ed996e1e2594107

SHA1
ef693dd71a30e3d2df08fa7dfadc343be6b0046c

SHA256
b345b194fa2fb02a40049d32fa7bc7835f0c0cc93d7c1a697d64cf180dd251c7

SHA512
b98f919250987dbc6f42aca4fec6db403ad5ea8d4b1b92fa23d96c0e2ce0d8fa84efc5942367e2a0c54dbd3f1d4666164402d6068e6e05ffbb66672e252b17fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
2a25564d54f113ff2498f1f393422551

SHA1
a623c186784367c56c392ec64b06d1ea4cc118a7

SHA256
85b6e8003b7a09c3108012bbcacdc8151ddab9d8927499ba83daa26e95e70386

SHA512
63f31ffffc5600d30da23f768febf895967abc9f4c1dad7dff42a5f74d20d849917c1877b8e5894cf1b81567e92e6a6e384efaa81af50ef1977238d241169b77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
873e03f97afd3af993f9bbae36c88271

SHA1
3ca119c1bfc7ca2fe99627f4d5762152a7daee16

SHA256
fe7d2636f19a7887224d4ec26fb62d4eeccd64f46004ba78b7bb3e03face029e

SHA512
5eb33ac303d7cd75628a5cfe99fc5cc70f3b25eba20fc99585c7d0b3abd827d104018dd37095cb25e2cce67300fd9516c1e4bcd8fadceaf3052f507f06e06657

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
467193b89049435d481e19fcc5785047

SHA1
a14232ecad29ebdec94493053d34e410d21c788a

SHA256
1e483a4d44c062cd270ab19b9e672b886fa7ad5223613ac5604445ce7e5500b8

SHA512
ef9ecdfb34ac02cf1b613388e1d09a6602f7fe2d555e496ec0a8a1034c9f73be8c2dc65def208b9c7f3646672f1d35d3cc3e8dd4fa5be61813636d109373285d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\ggibochf.tmp

Filesize
637KB

MD5
15c17acdc1bd89a16176e757fa4bf17b

SHA1
de4fc74585c706c15c75219b8ca3e00fee2a1610

SHA256
d5117dac8257e4e53bc8556f4318b1f6f0d42077a82bcaf048693774a76ef297

SHA512
2530d7194524eac3604947a07bc470fcf7abafdb7bf1bc98600235cd5af7a523be49f40b5c197117e54ee912e567eb8a7b28c86f7375c6af7c8b0a7b8a774bfc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
0c8f8f7362ae456e6c8c8383195f790e

SHA1
b6e12f555a93f6fb3bd6ec6976797e17d9bcc6b2

SHA256
123ae271c4677dd8c5280333a7ab80ec949de082937d4117a309706052d7e757

SHA512
35c453557cb341bb2cf3635bdbba36efe82e00d7c918b24b6db59fa62b82595e415f069c84909a0921e02745c7d0e694d6a3907406838143c5c5d4e7b2adfedc

Download Submit
C:\Users\Admin\AppData\Local\jcfpqnqj\qdnjffqj.tmp

Filesize
625KB

MD5
17ef4c6476608d4485ef1b7bf41c006b

SHA1
e202bb3e32722791580ccdde867524ec9e11bf60

SHA256
7887806df8acf29a6fabbd3d250995cc751436222950223653451ad71eafe4c0

SHA512
5384d2c12a91274ef0c44f2feee7ff8af9812618b72efc7ccd1afa704af1976f80e6983e4b7197d7a06eede9d4bae41702ebf2939d6ae3a7ecc1fcbc8dadd876

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
a7291488eae583532426912b4965fcb0

SHA1
05df33ea01629b7e170014cebff34a16a6dda2a6

SHA256
358d4c2a17cac8ebcc2f59ba6dab6171356ef9a71d7ae5dbc38aacc0bb2eac62

SHA512
e1b0d94472b9371d6aa851050acb1cb7357ca4067f474b36a57291978e586f0ed0170bce97c0d49d618ae931e3d1d4782a34753546a54e0439e2b9035452a2bc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
281999b23b49c76c1ba085af04e75b9a

SHA1
4991b07b077382e1da546d0192bc4619507edade

SHA256
150a0ec4f102d25d1d9af2b5c09583486ba4d7ebdf5c2369296736828678d2b6

SHA512
3f34daa59d870effaf1be742b22e1b198c4e7022f98f735f371d032f8e990583137a4529b08848fb778d7c8db143266f2eec7c3731500119867ca968e01a2174

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
024eeb2dc3471addc6831b2f4043c34c

SHA1
c0c59f4f432ddd680aafc490f48804eef20c0802

SHA256
35bcfb845fda91c7695ca7fb1da907cedd22939d421c8b553e19fb7598c3e522

SHA512
89e8117e91dcb4588910581e9d5c119120dc7dca2a0ebcd28bfac43d897a95b164ec079f86959ca2f1f3d07560d70aa6b6153a579b6369c917216f0efc629a77

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
84bd0eb0ce14a9f37d1f304370b2e313

SHA1
727ddca3a9001fcfd7af77b123f5f9b6a342bada

SHA256
41c712c5acca8cafd712d648d90446bb56c5b1320e718e22f6900d0188300b60

SHA512
11cabfefef58a5af8eee534f0c5c9afbc24f8255566ba9b6b3ea27df86e2f60277d22d967a2f55bcf426048bd05a27012f0d710c841ab8bcf56656fd3621cdb1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
7de9b9d078be0689af2f58b9e19b864f

SHA1
d1d165ad5aeeefcae798449113495f7509d23904

SHA256
8deab7bebe83eb1f5265893131126c4a42663d8f3504b5881889ce6f84cc6b46

SHA512
2529398ba82bdc6360a629f5bb4014d755e027ff467f05eea301ada8e1d2cc448242488ca2d5dac4a11d6b4c4689346b463537f60e6e74a0efa97842a2813af1

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
893c0639eab12acdfd113cc6ffdb1801

SHA1
4ea6415f4010fb8f5fa85cf9c5cb1c5628d0416c

SHA256
c5f18856c14b6c0ae0e9dc77c2e7e9c8ea7f506cbb782531b7fef7b17b096a82

SHA512
440b73aecb1dc025d8fca75e5c956806a021bf2bf71f6fb1cf05714bcd523f9af0d71bb3b63c26970d4bb6c1c8c66f8b0e6c4c7bc65e98785136d7a6ec74a37e

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
e4be567205fd16d5430fb994f9997935

SHA1
eb2d82a331a196b6c2c955d15ea1a31b0227cc01

SHA256
e7199c37788c22723e17633dc69ba3730c2b38e246a748e24cc856810d82f631

SHA512
d93b93137bab817df39ff82297983390bce2c654fd4920cb591b3e46b8405b059499143e2109c57ab4cfc82f9faa36a9bc424e89fd073dd8f83089230a34d9d4

Download Submit
memory/1876-0-0x00000000000AA000-0x000000000013D000-memory.dmp

Filesize
588KB

Download
memory/1876-5-0x0000000000040000-0x000000000013D000-memory.dmp

Filesize
1012KB

Download
memory/1876-4-0x0000000000040000-0x000000000013D000-memory.dmp

Filesize
1012KB

Download
memory/1876-2-0x00000000000AA000-0x000000000013D000-memory.dmp

Filesize
588KB

Download
memory/1876-1-0x0000000000040000-0x000000000013D000-memory.dmp

Filesize
1012KB

Download
memory/3544-59-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download