Overview

overview

10

Static

static

3

JaffaCakes...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3bfece7f4ce0035fd1899738f0ce1252.exe

  • Size

    816KB

  • MD5

    3bfece7f4ce0035fd1899738f0ce1252

  • SHA1

    c5a03e834a05c00960147c372d25ec13acbf6c8f

  • SHA256

    9f746b051f80eed711b36e6f6b3d2f9eaf8c70443772adc60ced7d75333150e8

  • SHA512

    ff5f9c90854488c4da6d7a17e4ce6fe8d5d2129673448e1914ca689f0db80ce150b0471f5d1062332261c52e906e6386ea0d85cace3bd290fd35e2493ea2c195

  • SSDEEP

    24576:cJW2KjJ4Td3kJnbsPhnzqkHluVwFdBmkiO7Sq:cInJ4Td3mbsPhnekHlmwF6G

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 10 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3bfece7f4ce0035fd1899738f0ce1252.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3bfece7f4ce0035fd1899738f0ce1252.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5040
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:3756
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1456
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:5020
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4924
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1196
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3928
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:3408
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      c2f5b16e76deb39fa5a8447e59de0a29

      SHA1

      d9bf8dab49aad16c63a44ab4386224ffeecbe2ef

      SHA256

      755ee6f1195dbc678896c8b712c6fa2f657a2858fccee9e256dbf57a880db50e

      SHA512

      c3a020eac5c7a3f7b73345dc529ff6f8846f3b7305280162ea88b8964e0f5a93ca189e8c274e1be04a9514d694facd21f2928d4fe7f0a6214baa63efe9bee1dd

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\nlbcccph.tmp
      Filesize

      621KB

      MD5

      e7e92057fd910bb5e97527d745ce5cb4

      SHA1

      a4c80b76f961bdec71194d616c834bd41f7a019d

      SHA256

      fc993f22dab3139d74eae461bef02f2a505d65702b3ec29bfbc87439c18fb760

      SHA512

      d73c1da740d4d99c4ea49bbb9a8b0ef330702b62bf6f7f887872dabf35adfa433fdabf6a69566d3aa335cc73c361e5e9e6247b1a41c9f77549f2578e9829dbe3

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      646e97a25a2ccfdd53fe2519a6190ea8

      SHA1

      255c9994ad40a86ce1da48db4fb7b6caf35eba7a

      SHA256

      8a12fd46e780e2a95a56b29332615ab6f20e89bf0118b7bcad3e7109f02e6363

      SHA512

      5b0406819f7e1391912480940d9fcd9f8b342ebf8160db5bd170bfc9147f43bed6f40e6115fd938122da21c1f3824e9b7a00f0e3a66bece20af5c2fb87e97773

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      9106d01298d73e02cd7ccf74d873e5af

      SHA1

      37cb099b28d156b61023131f17f22cdc11c99595

      SHA256

      9f7212ab70202936a3d684e650ec08bd71312285bbd23172082bdbcfd09aa54a

      SHA512

      ce5bfbb0cf33fe74f3ed2b7814c7cff0a97149948e5d970b24e20e8f307ae1c7c48cb53580594e1f41ee849a49130ba58fbee8951f5df3501a0c342ca2606d4e

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      cbeb85030cec65decc45f7c9460e3421

      SHA1

      3c65bda1cf43dc0b76ec28efe700ee8f7dcecb44

      SHA256

      f68972db887813d4a82735f58d24bb91872428d34d1cab78e11a2d3da507e824

      SHA512

      4b97ea5f3b6ff22345b6a18855af2dd5a80b5fec67e134de8bbe96bc478367f2566b6b8c66f91914f8923931c7b0d7336c5963dbbb83a60360622ef42cfc518c

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      2d63d5a31f68c965782f6159a63e815f

      SHA1

      1e93b10815f6f1bc8a9b195beabe61af9fca1813

      SHA256

      68279fac8c635938f320586e1c602897f2e6d5c65697661b3842fa2e32bfcaec

      SHA512

      a05918d9ae8e578099f2ae950650096929364c1b2b759094c1eb814417fac313e239c53d850a7596e055423c9ab94fe8bab6f39fc7f97eed2907427d9bbe771d

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      2db392fee4bb3332e1528b04c09da368

      SHA1

      7ab95e6a038a4fb7f426b2ee2f26b7ed6a52ab9b

      SHA256

      4658823ee43795627fba1c11aa0fa3ec331ad3a6f4c2dbeaef305e7ba34583fc

      SHA512

      8a00ebf48907124574ad1b37292c4ddbb8221cf5bb0091197f19c5a71fa7ba094d44b0e600d692c0ee2f440cf7c81cd3d1bc90c394b2eaacc40966d060b8a310

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      bc5c5e8ba32d0cd7b757ccd5cb1e858d

      SHA1

      ac15b0caa04d36ca6db3fb04bf6952ea8fea810b

      SHA256

      b1631cb88dc64eabbf0cef474b916966e261a6eb45fadc69d9159123cb36741d

      SHA512

      535ff3a76ee84d5d0fe7edf8fd0f1ebe034d15804c46afbd38d2f4c3d2b7e2b4d70535c79a1cb4e598b488e4f0d4add1c94d188cb59143dcf8ac04d68c45b727

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      9b95da6efd27ad9269593693ed8e465f

      SHA1

      9b9418528290e6126e519eafc5ae2772a105a455

      SHA256

      ff32c90363f2835f934e76f8cbbe0f7d3081b076faf061dc43006dd4c346e4d9

      SHA512

      9355f97fe2299d2f5c8e53884ffa89e5c73bc4bbd42f833131e08ffbb87eb73aa785153067217528573ba3d8de9ccee6820c1a070f51637101220f34d5fa86bc

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      ab91bbb01bab487884828b67f9fd85f7

      SHA1

      3e2ad333f72df6438ff63ac91f9801ee5f167f00

      SHA256

      ec9c29cea191391b35673908774695632ee89d4acdf78c06e9888e0ad20b0d5f

      SHA512

      67e8bf4fdc458e0fbcdd3e7f1690f746d8b0ccbb9d7af4b6a611fe144fd6f2b37f2f32a9ebee6aa03e8105b57449825c8121d551a2d51b24e12c4f76edc291c2

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      26cac7c8331f595ec4f55e6b2158a605

      SHA1

      8e9164ba9c49b5c5584504c635faf2c6d933db16

      SHA256

      a0ed346f67c817714dc6069d4beaccfc708b49dd8f60b638e246f5246347b668

      SHA512

      faa9e2a4d159968279d9b9760fde1e56430b28dd7c612439e321589303f977c421ecff9d75d0131c0794c5397134b4f73e2875c7701ad1c87d22e2e0d2e60e9d

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      42cf7907ab08b4773dbf6523efb99075

      SHA1

      da3e7578fd8506319cfe341f2d7cd8598e9337dd

      SHA256

      e3259127002de71c2e06cdf588fa92a5f3ff6393a3faf2343f341610dea46784

      SHA512

      4fd64830df3a8027ab8e99d053a0c5ad90c79d84061b30834badc4a430daec3dfe07745ecffc00aa6d0aacd6a48f10ff572078a0561b3140e11eaf13db805d7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3nr4cjy.20y.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\aoifpqpq\efikeofa.tmp
      Filesize

      625KB

      MD5

      46b677fef7d23f031cdda10336b45b53

      SHA1

      a378559650ab1948b5fbabfe39c6749f9d8ff7fd

      SHA256

      b89ca63d9e4faaf03ed3a48f5cb45b092de5f168aa7d8b5f59daf42663c05cb4

      SHA512

      e9e780d97e36d2acf13813ad1f818616e75a3a8c4f33e941ae41f3899628df406553322cd14b3536c5563dd580c148e37b5851bd82138ddb38d330f74ccd4e4a

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      0563b5309db4b0d1bbebd7b968a2bfca

      SHA1

      efd5c8121f9c4f5f77443fb7a397b2326a174c00

      SHA256

      02e47c4ffc2e3246496a10768f119de4b25e645395ec3d23f3dda614d9c0fc50

      SHA512

      84ebcba9a59172175bfc3503a47ed5cf4eb55dc3adf60169c874ecd0359a1cad087347253aeb42dc839700ee41b29b9b4c17974c08a6d23e8eb67444eea355ab

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      ac62e4a80f7cbaa38938652ed1192250

      SHA1

      8cc31e7b8408a77669389fcbea6cc412a5836303

      SHA256

      91c5a234104cd86acaf7215829cdc6a1db4d38cb8c2bef035f155ecce5abcb71

      SHA512

      3f22867b18a1ed71826e094e81a5e0a8101d433e3bf5451fea66bc56791ea2ebef73224275eab03d887046aa8d897beffdfd9458cd240850d1270a7e2f50009c

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      ac2cebce67a3695f4987cacff7abc8f8

      SHA1

      0e18bb7ca4dab76d3ef1e644ecd61e5caf65d1d1

      SHA256

      ecf2207bc3a58eef13dd7ce66e40d140d5d7be62f392f1566cc65f1b8f1fc2ce

      SHA512

      012c9097718f9842c29a74ce276cc7860ba5669eafbf63a4e0bb38f3c6c656691748885133ea08251e0bb1c9caa0bedb0fb3b0c5485e2e7ba3348a63e547615d

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      8af4fdab917fb28ddda641706c1021a2

      SHA1

      5e559486a06f862a85705e2d2a3c1b0e731a7431

      SHA256

      0c3ea65fa7c77d753575b565e10abcf6dffab1e4775393caae1cdffdc9db6040

      SHA512

      a3774e75bb9da0c69165a28ce38bb6bd646df02de37cdae39bf54656d96b5458be760e926d75c0ae7fc884efa928973940d68b0c0ba77625ade779815e2b6ef2

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      a5fc917efdc9c04b0e7216467d245b9a

      SHA1

      defed0bc1fe1da0cd7f5571a3482c8466232e524

      SHA256

      6fa641fad614b89d98b6b8dc6d436ff257ce7cd4699542132b749785894f4d50

      SHA512

      842e92ffafa658872792fb01b6f317402c43a3bcd5c9a7fa63bb754cb3addaf887a889dda4dc92a7e7bcf9e7bad129be913e0eb922628603da024a44b177aff8

      Download Submit

    • C:\Windows\system32\msiexec.exe
      Filesize

      463KB

      MD5

      b13df1ae25cd584c4e3f62773fc7f6af

      SHA1

      c568a67cf6b575815fdf39cc06b597c6909d2038

      SHA256

      55542704d45b122e518fe13f2057ad0e500766844ecd4d51c9203300f3b8b902

      SHA512

      10a7c12886fb40fec79db178082a4932692433b6aed46735ed967d9d42a8a8808f27ccec590a9c3711c0a4d69c770b744443108d67a8d7329f23dc5f1ae04826

      Download Submit

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe
      Filesize

      637KB

      MD5

      a11b652ce9074b51996760a31b4a4c0a

      SHA1

      267f445ce68f3ddcce800de35fb6c1d5985809c1

      SHA256

      2fb421f6e168172e5260e7e29a94e52c8fdc4ab67398cd0eeba999b8369c6730

      SHA512

      b59073888e84bde2633b73339d8464469c3e71dde64a0a12d176b2453f8dbdd9310f272da4812c4a490e445e1690a5771dbf41ae8870943713fe711be51ed0ba

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      d50eff6d795b89b2805da4e6161ff81e

      SHA1

      ef64e7bbfe00e96c1956cc08053aa11296bbdebc

      SHA256

      ada580292c16f7fcd452dbadd350e1dde36075efd4b628a55918848e08ce378e

      SHA512

      f40c1199706b061f6f03062bc60414d901cc120f2904752fb436afb3a26faa00420c2b13bc79641414c3e0e551e74179ced823cdbc698c1f2baff137e9e27e29

      Download Submit

    • memory/1456-109-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1456-68-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2432-76-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2432-77-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3756-51-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3756-84-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3756-85-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/5040-21-0x0000000007080000-0x00000000070C4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5040-27-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-19-0x0000000006B90000-0x0000000006BAE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5040-30-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-39-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-26-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-25-0x00000000004CF000-0x0000000000562000-memory.dmp

      Filesize

      588KB

      Download

    • memory/5040-23-0x0000000007F10000-0x000000000858A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5040-20-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5040-22-0x0000000007BE0000-0x0000000007C56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5040-1-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-28-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-24-0x00000000085A0000-0x00000000085BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5040-15-0x00000000063C0000-0x0000000006714000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5040-7-0x0000000005F20000-0x0000000005F86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5040-8-0x0000000005FB0000-0x0000000006016000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5040-6-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5040-5-0x0000000004E90000-0x00000000054B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5040-3-0x00000000027F0000-0x0000000002826000-memory.dmp

      Filesize

      216KB

      Download

    • memory/5040-4-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-2-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5040-0-0x00000000004CF000-0x0000000000562000-memory.dmp

      Filesize

      588KB

      Download