Overview

overview

10

Static

static

3

JaffaCakes...e7.exe

windows7-x64

10

JaffaCakes...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_209d63407414998cc52db23fa8471fe7.exe

  • Size

    406KB

  • MD5

    209d63407414998cc52db23fa8471fe7

  • SHA1

    f06e068ae256f9dfcd3926958d9964d61f8cec2d

  • SHA256

    99826ece45610fbe772e96c3978a4a120da6ad8138af4d56b26f0b5746cc8d53

  • SHA512

    e900064b2f40ee03070f921104a87bfd06fddfd52866c64053c26b5ec51f20417dccf82cc4482c5168f7d58c34094e054e88017d25db458a00763c4f10563b9b

  • SSDEEP

    6144:/Izfx0tsmxGjd9suGj0IDhAJSbnVrw8/LppZ2oqIqOEhspJ:+fqOwGTlWnN0Qrw62obqap

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_209d63407414998cc52db23fa8471fe7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_209d63407414998cc52db23fa8471fe7.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1100
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1216
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:3108
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1512
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4072
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:992
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:632
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2240
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:1532
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      4881a0897ce80f9b754e21fb16e4efc9

      SHA1

      42d4189921eab9a23e91189f33f0c02270e998bf

      SHA256

      36dd90c751a243a3bfe9feaac545e7605e9023c35d15707eb255c0f469e03286

      SHA512

      e15829e7e6ee31412b769e499568753fa2498437ea8da8ff15d9118a37994b1f935ad2319e3d396653614aadfc6a17e76b5d9a699581401356049292b12f54c4

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      5641c5c793c906c9673deedd11e56ad3

      SHA1

      94ac4fff9ca78a62b56c537429824f5dc8f902ac

      SHA256

      9edadb2a828982eb522847bfbadf53388cf1cbdf5c15aeae0e52dac99aed9672

      SHA512

      3075a752c233d6bb8f876464962922e13713f96db40ffd7a60e1dd6017619004f9efc989b1d920c59eb78af6551867643595e2357213fa25d3e3d95b5c5babca

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      249ed26fba43c9d5a05574f4527a688f

      SHA1

      f3675f32e7838fc07f2a88a20d59df035a71657f

      SHA256

      d9d3fb2962c96c2ebac991a66f4f7da1dfc3d450b8f02ddee39739ccd65849a6

      SHA512

      e3acc07969956aa3d7fcc84ee2f934ff32019450323731711689eb700fa1477b354548905c12a57fd1626fc8ea3fe988bd65284dacf3297b8f16af585826b0bb

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      c0e480a130eab6ad6556f356c4929e05

      SHA1

      01f542d41d67d334383eb56fb39cdeae0545616a

      SHA256

      b46e865e35869019bf35a60179fcaa3cb1036b1df4b37d6837dc4647d3990454

      SHA512

      fa967d1a6151a198fa2d4183c6ef95d1bc825a33d6e28fe21bbb4828df339839679cde18a1b14b0739736c0e6e2fa1893402e7ef01e1bfed28678514470b112b

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      8727816fefcf5190d6437f6717c76357

      SHA1

      c9aace28d72bab655217a8eb6253818bba5f4476

      SHA256

      515306218fb778df5659f4e63ee9b1b4538292275a12d6c08d5b9c7ef5c8db26

      SHA512

      4b67b820cd8c10070817647bbd9e2d7dbc38c3bbce73d119e77aef78a6db74aff6bb51aa212affaafea812ecc2368139df000da993bcba5575e74cbede790c84

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      2c130eca935a234c5826cf4d0d8b56b1

      SHA1

      82dcb3c789fe3f4eaf14cd6a170f27134c235c02

      SHA256

      93a63d297ee45ae9825574e37f2a30205de89bc59375526d92d70d0332c9fbc9

      SHA512

      3788a5c54f1f131df0212fd4ed2d260489b7dcd2d252cae88cdd900b028815604e662b7e0af1354c62ee111a64b4d9152772c669bc96d051309ebdb1c27a25a6

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      d6a68ed89b2ff6a8486a861869fc0dff

      SHA1

      eafd6dafb68bc80310dace8dd44f3dd64610965b

      SHA256

      5b777bcdeb0140669892a3ae1b8b39b4838d6f07fea138ef5df708c2b90556d2

      SHA512

      2906361cbb798daef9aeee10952c1197cb66874f249cab1ca5b44df1a435cfffe558137a49b5b76888e394bbb2cbf6018ce813b6d3301b5748e0b8d66c937569

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      5a579e6d45161075cda0bd04598ffe9d

      SHA1

      5de0801be7f6708913796a4b94a2173e25803a33

      SHA256

      23bf5982a516150d0a66a700e97aceea03683d574387f485c0d12e2a9ee70293

      SHA512

      56cbf9939acb4ec940db99dbf09fc65314a4375b847dbe7eae7aa3bb3e7e3bc05e80eac263d97e9e2a6d62be11cec603950bc504d5af5a41abad513c0575ae9a

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      7df11867809c5da7314c88dda724504d

      SHA1

      1e0f0351148294521842f56843d2af557368d860

      SHA256

      50052711ace369357d8e18cf5660d2fbcc4039cd4cc8781b004a05ced0351ab3

      SHA512

      20806e22c2ca0ce1449ffef5e9a37cbf4a61d13e4f9de477d4aa56533f3ff00587c28c9a9ae0a0c6318d27f8d9e1ae937d9c21c11f628a10336892495f4c54c6

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      ba198f8c749a2a51a262f75e2c628ed4

      SHA1

      b703f14d5fae655d68677b49d5d6e81cda5932c9

      SHA256

      2d44042ae48b9fcda945cf47249ffa980d72bc4a51ae74f0a3599533c976781c

      SHA512

      3e103b56cff481ded1fbf3cae2b51841af8a53fdc968ac46c39bb6e14231d5a00e8cf51f137e529f84a605db544ac33090d341f910a94bd3af92e73153f5a10c

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      b7497ef97dec1640067eb0e0f0dc230f

      SHA1

      6e01b739f0450fb60bad82e3838fa7f605627f04

      SHA256

      504064d3acedbf1d974c886945b481fcd2ec2c9e16ad26cfcb6f7cd5824f2e0d

      SHA512

      a10fbef1fbf687923c6bd09f02ac80f64b5357c72ad302ae49f5e46c51811e50704c26e158838628a51226ebe131aa4bec3616a3f7e8f34b8b045acfad38e345

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\fbfokaha.tmp
      Filesize

      637KB

      MD5

      2d19008720c20daba2635aea0eb561e6

      SHA1

      1a4382545d5e460c6e721f2b54a9d5cd9e050c49

      SHA256

      0ca1320c659ad49deb96f8e35565747b39fb6e9044194541d31c2dc516b2ec11

      SHA512

      d3d5ee96135f7e57d64a5b67080287e450bafa8fb885efe433eff9729266dc3f5c8085fb5f923c8149f30f47603b652fa9229a78b3499de4a751185f763e803f

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      1df827ccb267256393ad83da3cd188a5

      SHA1

      a83e282be3895da639dff01d6ebaa3559436fd41

      SHA256

      f00f6b061f4de6b9438a8d570d4365afee81ab31f8317eba7fe6c003bceafbd6

      SHA512

      937acc13268bbb2840f57e10b7a8899a5597cb04de37ee43cecfdfabdd899596cea416683075c47ec907ad9df9e6043b40462ad1405b343f08e87544b24b9d86

      Download Submit

    • C:\Users\Admin\AppData\Local\oaopfinj\dgppdifa.tmp
      Filesize

      625KB

      MD5

      5716ce3e94e49edc9a9764eefd95fd38

      SHA1

      1eb6acbc58fba298e66b497224294ca363fdce11

      SHA256

      9aa7765bed5929652b45fad1f8b54508e4bab0cccf8ba01a7f0cd4e14546d49f

      SHA512

      ef5bd1a2e023ad0aa59eabe86f26cefe9039afd926d38de4bad4b0d05eb1609bd7852592c05fd1662eb9f9554b552f373995d222339d480ee456e9ec9ce8c361

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      17b2a8e245e10aa94d9e7ac042f219c3

      SHA1

      e25300d0fafe0560ac153acf3ab35047d183c9f9

      SHA256

      995c023c45b18b39bc9759f1309109e457bf9536643a02e47bb5d82c75075e19

      SHA512

      e7cd3a6f313e6068e4c6b7459a4444904964561ff4dd7fdc7725b112ab497fc495570984423e3005e0991db75c409eab891ace97eedfc3e86bb9635bb5c553ba

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      817d722c6b179de53795945aa14b7b36

      SHA1

      e35386006c4f36711c742d6012a8bb8ce5390197

      SHA256

      4fcd540de75eecc222e41d02dee835940115e7b716f8f44b7c93bff02bab8931

      SHA512

      899987590d165131d15e78f816a876d4883acf930aaf0f39a3dd523712706ccca19e7bc4fc5ba9b60d24a8333d0b4d2b033102dcc55e93dd0d7b93058e874206

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      c7bd78f6c512ce9ed50da199b05503b5

      SHA1

      1d6400cb37d388072c29183c9677f8cade785c68

      SHA256

      8de742be71629c9f7bd9ec40ae9f56ad5c7c073e274b8d521ede63664999b65c

      SHA512

      ced8627468af5b892ccc22322b97640c986f943f266666b71d959fb3cf065fc653ed46c3b4a6a75c71b79ddbe6fd1b29548c305bcfdd864e041204b8f59620bc

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      a78d88988603075f7d38635f7a02d0f9

      SHA1

      821f2cf0accdb018b514aa955cc0e5b0ab9dc788

      SHA256

      9b76a3ed15eac2bab212e1310199d9a5ded047d56faa5a1514a2d59965c85600

      SHA512

      b9915a64879e4ccec8d4098137a2c14d5c78c944e56bf418e8e6c2545556699d778a21df98c66e1864e1cafee02a35affed489183a98b00b7325ba402bfedfff

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      34ef54fa1cc4566d0e74b7e8cd3ec76a

      SHA1

      d7211da4f4ed93d66016d8e22fbed6b28d53fc3b

      SHA256

      7c29756f625ad58b46c67f0e5f12d9049ad1857ec460567e68beb177bdccdb5a

      SHA512

      06c2e456d321a477a34f6d533d76d94cbff3fd2d3418bca96f221cd30abe526401107099134e21ae4c6522a06957c8807660743cf71651b81cbb8a1724cb387c

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      a971c960620c8d8310c852bfddf5b4b8

      SHA1

      b7815e7b0abd65ecc187bf0c1bb2a20a1363d1c7

      SHA256

      db73be80fd472a2f180957297e1093813f669bfd54683b791978cf59a92104cd

      SHA512

      6da80e6d25fa9d3aee3418d23c77b6291f1e9cec5853b9ffaa07f2dc14479fc7b7ce970519f576e05a82ae92ebe4a42f9d5c88904470c5f84fa5124701e4d1c8

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      a969fdcb85e1501032255c841f151a7d

      SHA1

      b2c46d3460dfbc428ea9308a61987f1799396b52

      SHA256

      c0cac4082c4832292b7af6592d277d912be81abec4df536b7a8563045662bc97

      SHA512

      521854ae2b3a8dce87520fe13ae4be93b9bfd3c06cfe801eb2d54abee20689aaef147d80fee85d80b59533e0e9ef7160fa1b737113d5d0d2825ed99bb99cff26

      Download Submit

    • memory/1100-0-0x00000000009CA000-0x0000000000A5D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1100-5-0x0000000000960000-0x0000000000A5D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1100-4-0x0000000000960000-0x0000000000A5D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1100-2-0x00000000009CA000-0x0000000000A5D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1100-1-0x0000000000960000-0x0000000000A5D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/3108-59-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download