Overview

overview

10

Static

static

3

JaffaCakes...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_232d6b629e6ad3eecc5c84417e98c48e.exe

  • Size

    816KB

  • MD5

    232d6b629e6ad3eecc5c84417e98c48e

  • SHA1

    03defd5c1e5a33b4787be622a2e69122bda3b214

  • SHA256

    f1f2c7ae0fcd218b99c62e2e85899000fb567b0214a6c6c45c70656b4231a9e2

  • SHA512

    f27b990d4758378886119ed195884ede387993e2d1592e136ff7b69ccfbd48c072e12c380cb3a50eb34be8cccd3aab9358e012bbe1e2f0f3bf2e6dc21154ae66

  • SSDEEP

    12288:SJW2KXzJ4pdd3klnnWosPhnzqIoB8UJVr5NdTf55L9fLHGXM:SJW2KjJ4Td3kJnbsPhnzqNBBVXdPhq8

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 11 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_232d6b629e6ad3eecc5c84417e98c48e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_232d6b629e6ad3eecc5c84417e98c48e.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4216
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:456
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1968
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2416
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:748
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2932
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4944
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:1532
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:3200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      1b8d93de362eec619f88a06ab1e9a9ea

      SHA1

      623067e77d88b473ee366b37555a34bb5f8a4660

      SHA256

      1084bc8e573c8192f25693bcec1236d97c353627d5ded0517f76af44f44cd329

      SHA512

      8c6e9362a39f2c5e9178ae550efb8cf742546dbc9afe1539806d3b7ad6b51bf461f32c1e24a194328c5f0f90d86b24653c6e200717409add1348ee69b2c358e0

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      6e371c74025bc2a675e7e09c80241792

      SHA1

      9f99ae8368d4ca2579bae1e93bba922b51224b9f

      SHA256

      c44f32044524882156de9aa9a6f0fb789db5767f4dbc841c4360064853cf83c4

      SHA512

      d2ab3a6575a7138f419fd7a2bdaba171ee51cc03620218d69bc9fe4f5b7ae3f53a97deaed34bdec280705cb62c4e8cf85c89a35e256d98915a5f7e222ffaa172

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      ae203548f7f7da5de0f3997cc4fc9041

      SHA1

      322b49ffb067c8c3b8e1866a9d0afb69fe687bba

      SHA256

      ae92357f1e03383e769f40993e57e30703fe1d4de633a6dbe9b5470d0dfd6da7

      SHA512

      d51e1479557e3d73495b13dc7966ca02a516231034af40f04ceb176c7c26c5bf1e869091d06825b8aab7d40154ed1dfb3f043fc2517c01d03cc8e2902654b5b0

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      d8fed3dd4469a0ab37cb2c001f8131dc

      SHA1

      fff805f6fa31eeee1f86546d11116500e80556c7

      SHA256

      979c1932c5937d2cf00d5096e00d82625003a26e63ebef05ba60b8d68f6bcbc2

      SHA512

      8852229e18f2d46d29a77557dce364f57a597ffefcaa4ded6d6d356f48b463b2e200f45056804111a60f64e3027cec7949b0302e9b7dd7f9b26301997490731b

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      dd99d03ab44529c63abf0c6a860c8241

      SHA1

      8f30c700be8ae9a998f3fa83eaf5e2b4d5de3afa

      SHA256

      d71946e5c215211f9d6e238fe9efe18a4b961acaab300c4983fe649823f40984

      SHA512

      a713119433d6b864677359f6c6a07280f25d40865d9ff8e894aee3e9cd3282ae2403e328a39148f1d321440765dc9c2092a5a763899c9b2ffbcdc5bafa62884b

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      5f80de15a18f618642b8337589389546

      SHA1

      57a98e35d452465cccb0a0296e8d014ecf47cbb0

      SHA256

      c5887b1cc8d8f3e65687a90f66f92aadbd1990509c63c8141fd89e18608c7a44

      SHA512

      ecbc5da19c802b8ab13fb28afe1a8fba630c8b2d12fd8041f5d41cd3b198926bd7f1e75fb8f693d7e64f47853c313f2f5fe40e8ee419f6a994527e4274ccd521

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      28e221ee492da703a501557551d842cf

      SHA1

      36cb9cca4f1e9ac5f7f3d48137163ba7fbdba1fd

      SHA256

      18a31f20e8b8b1ae241b6cf0f35a941049e47bfbe4e12b1cb456cf0d78dd2e01

      SHA512

      f8ff58051343578b37cd21d1ecae2a34cf2e2886bdabbe6408d444a06e43cb9bffe0d9ca413b721845e28438ccc10170b33d907ac88b27929548fcc47a7ce04b

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      36cba4576de8158386841b10dfd786f0

      SHA1

      5c14bf409557eaa01dd76a5c490883ae80c8b2d3

      SHA256

      706e3a56a206295b4a8814f9216e0ebc83e1e37a616a6ca4c8c717ec5c8042cb

      SHA512

      c1c6966a53fbb5e4fa19bd24a15a15a3de3858b1a644ec6e11255cd37a92b847caa426f6417439f79212e7a5903105ec6d6e2f163cce4d9452e57fcd7bdda0d4

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      ff1ef4291d03b4aa1d43c97dd0766698

      SHA1

      55e57221612dd59f5070feb53c7ca6519ef25178

      SHA256

      66ca7c3c9dc11b6888baf15e3ab5614320751a0c761781fa0bf6cc32a42eefb2

      SHA512

      a6ca6384c65d3252a29777da6602308de5fa91e5da3deb39e33e19b717d297a364a6f1e4685a7a14d26e7ed6430e9c20b9fc1f9ee98792a38b35ff7c8f1651c3

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      4bfff3fbbfa87ffda3a2b2ab3e6c7ba8

      SHA1

      1cc4bc16efe7bc614a6c6bd8f8b38f508f5b8e37

      SHA256

      9fee81ed283403315c9155a05dc93a63608a44da58c0e553cbb41451c69a4d93

      SHA512

      d59beab9fb91fbce3cdc459564d6cc3039f74c1b30386b79aa349748a31f2caada965e25baa3e04693a66e1d1d5849720b48130e1f5ecf2fbd755993a65fc96e

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      ad85f15502ec59a1d8580b1e7174f17c

      SHA1

      98ec252c271784460069b362d7cd7703c5b00099

      SHA256

      974711292974e1f41e40db7b30634032f44489ee257dd858e7a04f2d83698b2f

      SHA512

      6bdcd34b7ae506d562c786343cb77df6caa1418fbef7ba24b6f5d3a57bf081ed1d3e0a7bf4f2af626baf520ea374729c95a256d4f13a6318b03e8c1da1805696

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\gokoiqmo.tmp
      Filesize

      637KB

      MD5

      a39988d30f755663de24e171a71fb096

      SHA1

      7f516211181d9b538858f30ddd9fe44c41910847

      SHA256

      8d601c277b21c22a7ebbe2c4264afce0c75f412e3d67b46b505a442731fe649f

      SHA512

      23cd51061ace5763e94faf0a8a172e24e6879a5292698f77d29dbbf8b5bf671cb62b8520519a6f0acca3760ca97c012e170bbd1bff8aa0c099ac38ad2a593f6a

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      c43b86347bae62f11ea912ed42a9f491

      SHA1

      343a58884397ca981673719be58e303282c5f307

      SHA256

      0ed1945ac10a8b51ee086bd97bf8429af61babc31af4d87de53625c99d47874e

      SHA512

      d40144f34d3789b9db852c3c0e73feee165518df255eb9d4efd53e4dca032f9770ca825abf406a0b3f3f7b08e22d687736146ebe884ddf26cd662fc249769556

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yenqp4x2.u4w.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\kkpipkam\lhdpogle.tmp
      Filesize

      625KB

      MD5

      85d4504a1cf947afabcd8563b9a84dd7

      SHA1

      e57dbf871e2d7648716d58235a110ef33fd5f2c9

      SHA256

      329848f1499648f9fef4ce7175e9c38913908f0e47ca1baf81bf6b05840ef5da

      SHA512

      2c8deef6fcfe178b9b77ab0754338f747acd230629d0581674210f393e57363fa772f00f354efcf2c16e2fd3f9745ff88826447e5792ff84a3209d43041cfde4

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      e914f678e61d41b6e623f19fd6ad23dc

      SHA1

      b27ddb08d637a4c00a4d06b87a0c621d091b9f31

      SHA256

      b153778e675e5624bd53aebb8174eb7d6fcadd83aa9607615706f6d9e9ab2776

      SHA512

      3f8c03865af1f87c839771f0d693ca8fb838af191c0c3c85cd159814968656c1a3ca7b255e5d62b039328f153b01404b84c55531a9b0610142332fb2507b2a7d

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      5eff48cbeff2a6a816bae6342b985068

      SHA1

      3d07ae8205f11a3694da6d690a07365584a27edd

      SHA256

      cbdfcf17c9898b0b542610e6519da3d2b58b1fa702e4f50c9da99f88713f063d

      SHA512

      6d358db5aff9e5a1eb1fe82f312a34472b0dbacafeae88b6392b67c805cf450515fbedada2437456c859b23112a9bcd5d78f2a1f3250e162a4a698141481c5f0

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      23492859497195975e0412d05f5d64d0

      SHA1

      00a95f34c4bfc50bd0164ec910c675bb423f88a5

      SHA256

      4d42ed0f0152e6d935e99b17ec34970bf1943e0203c13987995d65bfd42e2ead

      SHA512

      f57a52d6b387ddf42d6311fd5d3fd1ac82b9d91a90e648a49a6a800121532748a306f123a4a5144ff0e2c352e2b1c7cf21cbb2764e155caebd579e27415e4126

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      fd5abb0d3b64d17474f86908a8726ccc

      SHA1

      c2e566d22a6d00c0ee1ac3b7b8b8ac138c470ad1

      SHA256

      0f84a122401a110854d44b33cf3a67a360a5a0b3436ed4a0dd119e870faea96f

      SHA512

      2a16db90cddca5b88b581eb3c0ee32fb0f45eece6b2b65f331d7cb06031e5d0964bf70e529ceac45eb809dfa99b7c9e0d7cd42e5c7c2f5bb35246228582a8ee9

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      b625c3f7f3a6e53d6f066e80bdc29465

      SHA1

      c6b1d0a32e5e455a1ed8bdcc68ba5ba82644638c

      SHA256

      da35ad53ed993df291dd3345852291dd419f5fbca766457ea68f4fa0850e003d

      SHA512

      9805505544c473153bd2b9685629c67f7d93b3a7ceec0faecd2b5dc72a1fff196f83c595d6f67d03b7cf88a5c6dcb61b80281d74ab5f9a00b3ae3636ce03584f

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      fa2c44e196b3644e876433edf5f64246

      SHA1

      772add48557e79602abf2183e8c61b7276cccfb6

      SHA256

      d4e2b3a8a52dd8ecbbd4018ff3774178ff1e4e9e544e61e8733ce3d224633c56

      SHA512

      3db154804a09f7ab955b07a49f5870cd387b431afe703652e9090c25d1fc69ddf7e80e58614c3f4c08f2a0baf86e16789519104f67bd3618fb62d2987e3eeb55

      Download Submit

    • C:\Windows\servicing\TrustedInstaller.exe
      Filesize

      193KB

      MD5

      805418acd5280e97074bdadca4d95195

      SHA1

      a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

      SHA256

      73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

      SHA512

      630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      bd1ad7ca4aa165cd8f8a06c83b7cee82

      SHA1

      0ffe47f09def6f65b977450eb84413ab3f2753db

      SHA256

      d0cd873e450f39b844f08bc83e48e5636ef634eea56fd7a99872588f33c7b7ed

      SHA512

      08df4dfa32be234579278d534ba24cb1a3faa383a0ad9ca9b20dbfac5be0f16b44ee79cd3a5aa6a49f017ef92cd921fbdad3c2fe40712d7a7ab3b7091be4a9d6

      Download Submit

    • memory/456-52-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/456-93-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/456-91-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1968-69-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1968-129-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4216-0-0x00000000004CF000-0x0000000000562000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4216-23-0x0000000007E30000-0x0000000007EA6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4216-31-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-1-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-28-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-22-0x0000000007060000-0x00000000070A4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4216-26-0x00000000004CF000-0x0000000000562000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4216-29-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-27-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-21-0x0000000006C60000-0x0000000006CAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4216-20-0x0000000006910000-0x000000000692E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4216-25-0x00000000085B0000-0x00000000085CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4216-2-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-24-0x0000000007F10000-0x000000000858A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4216-40-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-19-0x0000000006360000-0x00000000066B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4216-9-0x0000000005FB0000-0x0000000006016000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4216-8-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4216-7-0x0000000005DC0000-0x0000000005DE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4216-6-0x0000000004FC0000-0x00000000055E8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4216-5-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4216-3-0x00000000027B0000-0x00000000027E6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4216-4-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4644-76-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4644-77-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download