expiro | 1d177bbbdbc8c1d28ba63bfef3dd2e94768e56da8983164946a9232769f078a5

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
Size

625KB
MD5

082ce02ed705927b4288bc76b636ae41
SHA1

63f64beed69df96913cc2473c22c3bd5830733a5
SHA256

1d177bbbdbc8c1d28ba63bfef3dd2e94768e56da8983164946a9232769f078a5
SHA512

ef719a8fc1ce02aca5f6aa803d262c3890cbb0e5ef51b5f95c3cd0788e60b1fc75f31f78d4dc08f6eaa3fbc49ba5edb905c000ecc0b23b43b8c2a966e293b9b9
SSDEEP

12288:GVt+w8wyv/N66WoJMqX+/adkNfy72z5VA52BDCM0a/:8t+w5y9DJ/dJiPAqDCM0a

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/3428-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/3428-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/3428-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/3428-48-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/3428-56-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
4692	alg.exe
3084	DiagnosticsHub.StandardCollector.Service.exe
1904	fxssvc.exe
4324	elevation_service.exe
532	elevation_service.exe
2020	maintenanceservice.exe
1268	msdtc.exe
2528	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\N:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\P:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\Q:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\O:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\U:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\K:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\M:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\G:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\Z:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\T:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\W:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\X:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\J:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\S:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\V:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\Y:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\R:	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\perceptionsimulation\alnebdfd.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\SysWOW64\eibplehb.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File created	\??\c:\windows\SysWOW64\omfhldjd.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\system32\mbgcfica.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\system32\dmohjlfo.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ndhfkomg.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\SysWOW64\cooqilng.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File created	\??\c:\windows\system32\oekpndel.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\system32\gpomldfk.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\SysWOW64\lamfcfng.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File created	\??\c:\windows\system32\gibclikb.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\windows\system32\wbem\gnlifiin.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\baachdeo.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe
4692	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3428	JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
Token: SeAuditPrivilege	1904	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4692	alg.exe
Token: SeSecurityPrivilege	2528	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_082ce02ed705927b4288bc76b636ae41.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4692

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1692

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
657556edddf087ab6bc352aa610db09b

SHA1
19107a99b4550eb2dff40e7f612ed3caebb67978

SHA256
fd8d8079670e1f79ee798b243fb3ae4ca05956d1db96d298d7370f8244c0e1c5

SHA512
b3b779dd3429f303210af32fd1cbd36df479e18f406dcffef6caa7e19cd93b137d4fa9409b75d8f5476c5a1a886f393feeed1a3573738b616d17da2224028174

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
aa3fa7d8b7bfdb44d0424a45bf656050

SHA1
6476f7dcf12119b5ad0d5bd215267a76fcb29b44

SHA256
a261450e8eef33b084bcec123879fb8c8c0d3d866c80cbd35056195e8bf92dbc

SHA512
d66ec59061459e1179d56235694097c51978a8d53c243aaf49ef5431e1a740b28c2237a10b1e49fc1dda17024efd8f10e5902e9f1d149f8bac6156bba1ab3c1f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
2358a23158f8ff0a238b9f1e638c16a2

SHA1
b75953d0c1336df8c60ab79070e5b4bcc5b60a79

SHA256
401903c94eabbfd368f9805bd207ac1ea62ce2c00443620d53672f5b0ffbba22

SHA512
3fa8c17161ec0cfa69f82d6612c748e18e5d26bb279764d695551c2dc4038851dacf59b914f996bdf81d6afafb084fbb841ba5b6bdb9de9dc2e25668a046d0c8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
51f720fa05681c6b7cd933b63ab0c568

SHA1
5ef90eabf6f897bb5d8a9574c0e033ffd98d853a

SHA256
ace5d8245d484c777e8b7f4e9d6e582b727b64a46cf3cc24000d7bf58e2e31a3

SHA512
e5be2fbfe0ebbbae1bb84fe2c4f8919377dcff90c6d1e1202847173ec02111636607e480b2636312ecbf5d246cea1ebce20fd387c4f24a6c1f447bedaa72e283

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
39d0d6e8cf67108d1bd242f5ccdeb777

SHA1
069939bfb992df62d4416bb2847bc1cc3ea5736d

SHA256
a4c885b046caf7523f0cfa5e5caea0ef3e5b910bed6c2ad66f2003c57ea44b6c

SHA512
434786fbbe2a2223fdae2694a16b2b683042bb787cc2e0d13c3eb57471c5a8c77fcb630a9bb8daaf805f54beb1b54f7e22e737fa19a08cb7ee207284cdd3ed7f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
2a024c1b883a06212a9e1ae0e25838cd

SHA1
a0c7f20ecfecfca544962b75cb845fed65e9dc89

SHA256
760384b1217f8088721a69b218bc2272cef8eb9c36197d00395b4c79d019a53b

SHA512
5a4dfadab96faf1ed7fbda552af3e4f7b686499f246b1cb6cebdbc348712a07ff341f892d91947b519d876858eeba2e6bac0d82af9480a8e2aca594b53c28065

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
74f5f7cd938d018eacaee62242051fac

SHA1
15a15d77a770522c21812fedaa831b93eb229128

SHA256
90344c9d25df0b6b2fe9e5aec803ef647ebeced3e7c467eba0c894776494ada1

SHA512
8ab4894777b4852d6bbefdec386f4882dc8bca9544cafd01e260dac308a7166373a4c35a1829c7573d36e6a476b84e414eac5e263d5227fed846609fd89260c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
71e43e0811f1df2f71c4309f500573ad

SHA1
7da6e45c5f2fc66218531cb96e51a8a504143ad4

SHA256
18874701cb07d59d1c5bfade612e8574c1a3f7b3e8c7ebb8eb4aafcbad45ec73

SHA512
16f01a2e660eab9ff8ab5ec3eb5bc3fe8a2d6e7c4385b18072e822fb076f6934afc8e6f9a3aa7d66a06aa74eafd3901527680991eebc9741924fd98b828ef01d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
5d14e1e3a8159202957dc424f7b188ff

SHA1
cec87930ed48d77aef8305fd0a8c525464441fca

SHA256
6d2c5606c12124a5ff9e319e290cb6752f4300480c9caabce50d405d84687abb

SHA512
8206b4f36c7607b013dfeb55c3da511347b797df59cccb3f68d67e89808909371bf4b582a9a60580d7b3a9dca0b4310c40e75975a2577d2f6befe5b346bf07ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
e1e43c33fea66cf8094acc77bfbcd92f

SHA1
a9ae44d02fa7858388576b58549a5bf534dec0ef

SHA256
03476196c6d01b022d78b2080a98b82aec69a05754955168d34373bf480d2e76

SHA512
f44a4f3de607a49e1fffba8096015b51e8c5182cf8f011dc43c31b7cebd6bc6207521dcbaa0aef7161700460840e2b44497bbccadee098c9d312bf6dd4901547

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
dfcf760565e6740186576e5698f3bd55

SHA1
927a59474a9ddd1d8a510cb0d185219d9ac0eacc

SHA256
b9a1831965af5e0e9721f30fc42cce6d673cd0ac72d9004b174cae7af9095c67

SHA512
61289ed5465d35518f62a59a710086e160fc9ddbbee1a0565ab4a161f64f95aa67192cf365208613bb6b8c1b7db0830476516d52c6d9963e2cce7cb76ffbf34e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\gdjnnpel.tmp

Filesize
637KB

MD5
db7843e2273a5001fb51aeedee0098e6

SHA1
0700903c4685194b9931c8f3e4ede27dcae9b549

SHA256
2054948ee151e3ddacb820cf0cef20bfb4b2e754f7033bcc62bb62b10b053cbc

SHA512
b53052f6b59eb474cb2c7511004cd974b1d44fcebf992cb7db0cc0aaa74f66348e62a8d72b8a864fee9c32fcc61114dce68714eb9955c855fd949630dd90b0a6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
9eb0087b40b7a09da8a1528f269afbbf

SHA1
8dc0b89c1f3ecc8fc2ee7a96fa7fb03eddfd6323

SHA256
6e5a81be301aef191f57cc32afa8c3c7276a2d796fa11e4da1e66184249f1043

SHA512
624e92bf6a415b077174a8c45767deb7c3646a2f77af15e13a5d3781356cbf75710f59bb68d88c89abc21a49619b26f484e5568f0ff70067c258ff36629e7c53

Download Submit
C:\Users\Admin\AppData\Local\fbnecrfb\hpaogdki.tmp

Filesize
625KB

MD5
c309ec04f9babc9d67a6379b4546a8fd

SHA1
aa16d6b38399490c65a64f93471e56ced40d8389

SHA256
64ea57f0d6b7600c6d59bd0d764b8628c67356f754a1d878147243674cab1a6a

SHA512
8044d8687f48ed2293f41ecce6f2bb68956149d44c884dbdaf620431fb21fc5ee5b30d4cd9f3753aa6471b1520a202a1cfb51ba7f90ec10a9b055aac3575e499

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
4af7f4ff50a8062b62ced1ddd8df572f

SHA1
1f55684687afc1973793cad16dd7a6979bfde88b

SHA256
22bed73ecac0fec4153f1b8ced20966baa9af7465ae22db523b11e2ced8ead4b

SHA512
5b1a057c960553046a6503d0e4a9e2d9539080f1d5eb9808f4326787a116aaca8bece8c065ec7c164a147ee63e08b2af4d97511e39d100951de0ad29f149774e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
cc67dde2711a0473fe1a7b0d78951050

SHA1
9d7022758d6c0d7c54dee70d624c7b3bc9175076

SHA256
57971e0b91bd1baca521eef1291ef1a571d15024a8e5085d2308dd32c462afe1

SHA512
9e93fe67f686d1136a07e34268ad8da0c534bc1ff40d22bc914f9db0d5c02995329472cf509cb1f1fd4c69afdd5354a21dd965f92794fb096203ef8017e51533

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
bba726f064d30be8ebd1803fc8dc74f9

SHA1
e05a3943d24542a4bcbebc84afb9242e57e83401

SHA256
7019ca28e1f61d1408e7961ce9b88fa482a7d3b182b4def2347c338a5e5373ff

SHA512
3c684f391fd03370129e68926b95ae3561522e645fa10824b9ca187523407d88bf32dfdbf94e85a59bd3bd7f18044971d641288118b737699fccfa2982ef5eed

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
942c9ed9c91dccee7d3b52add50629cb

SHA1
4f0b944cb2c2406a9bb8f474158a1574801a509e

SHA256
1c0c1526fe40017c058a4c1bcbb14b70ad4dd3626cae4f7ae0569c272698c86d

SHA512
5944410647eab5189e1c5e778ec4708eb1a318943f703f2536c218093b3f7a196a7041222765ce164813bfaead93a3f63577dd39e03ea65c47daa0973366dfdf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
ace3a5084ef72978df9f0aa9fd645ed9

SHA1
feac51b798316697d4e92b709ca35fb89826275d

SHA256
d21c10e3f2b88c7690281debdb4dc14d47af4ed300d690b84ddac6964408b039

SHA512
290660882dcda5e1ef7e5f64422ff905e96e12050626fa5c20d82b94d9b0e8595be9f560aa105791c7216e5a332a890c5a330d298108851cbfb3b784f76685dd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
463KB

MD5
0818d23e3ecbbad78496b98e583889d2

SHA1
b642807a65dc539f6b9f5d2c6fabfa07e315a8ce

SHA256
d5eccfdb8b706b48b0c95bea5cc6bc3496ce4f92c444132f32be290168d8b520

SHA512
739902f5b29a38adb25635476be2a70094f03790d241c9780f421cf84e754ea1eee087cb46d2971e017b78a0395b896adaebdcc6ee86ba6a1e5e3798238e4369

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
fd597a668dec225d20ad537b178bc62f

SHA1
54561cb1304a36c4e5beee15f67a57c8f3bd2701

SHA256
5596a601aef13cd7e12625f9ee4f41dee45ae8f7083dfa65fdeb946b2cdc2caf

SHA512
996c3a5011fb0d03914877231b04303e49f9354845f70889208caec45487809d34dadb675b37fab6031284438f74d0a5b77857fc882b8a8129e215870883a5a3

Download Submit
memory/1904-47-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1904-49-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3084-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3084-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3428-48-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/3428-56-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3428-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/3428-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3428-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4692-63-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4692-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4692-64-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download