expiro | 922c58f5fbc890a5170e4829d645bf9bc578e1e91377bdb8a6f90d485d128898

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2025, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
Size

625KB
MD5

9bf9f662ed4e25acaf3f26b09774e77d
SHA1

eb45e4c04c07b7c7e2698bd9a9e3bacfdde9a11e
SHA256

922c58f5fbc890a5170e4829d645bf9bc578e1e91377bdb8a6f90d485d128898
SHA512

fda76d6939d40fdb262b49a5189406f1bcb9cae50ad3d4b034c765f136bd9cc2c7b71920719152b63b4d294f82211fdb9bd7b9279d1f14ddefdf45a5b62fd299
SSDEEP

12288:RVt+w8wyv/866WoJM4sr0fjHLwN++JbHjNifqo:Ht+w5yMDJ7sryrw4IHa

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/4076-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4076-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4076-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4076-47-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4076-49-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
1540	alg.exe
1416	DiagnosticsHub.StandardCollector.Service.exe
4520	fxssvc.exe
1620	elevation_service.exe
2136	elevation_service.exe
3084	maintenanceservice.exe
3844	msdtc.exe
1984	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\W:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\V:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\Z:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\G:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\P:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\X:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\S:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\Y:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\Q:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\N:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\R:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\T:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\M:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\U:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\O:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\J:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened (read-only)	\??\K:	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\peealqle.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\mbeciife.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\gkppbmlm.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\SysWOW64\afjejhpf.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\diagsvcs\monenjde.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\mnggfnce.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\perceptionsimulation\dgldceqn.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File created	\??\c:\windows\system32\jimfbdof.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\ilaajadk.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\iebhfigl.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\SysWOW64\beodcdlg.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File created	\??\c:\windows\system32\icnioklf.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File created	\??\c:\windows\system32\ljfbkege.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\openssh\omkpieqh.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\nppbehmh.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\SysWOW64\ofkbmcnp.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\windows\system32\wbem\hhbmaama.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\afpbkmbd.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\idpebapl.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	\??\c:\program files\windows media player\cbhiddpb.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe
1540	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4076	JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
Token: SeAuditPrivilege	4520	fxssvc.exe
Token: SeTakeOwnershipPrivilege	1540	alg.exe
Token: SeSecurityPrivilege	1984	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1268

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
91b298911d9dd798c0abb7cdbb33e522

SHA1
69dcd26ac2dd7269d9b99a626562c9b9f2cd46ee

SHA256
5f4a9bb635719708463f63db09e4258ffc3440c1ffe56043b33c2faec6513e2f

SHA512
ae71e3ae66e18118898bee43fc3d3c98b54ffad363aeb4000a73ad93e2263ae7154fdd0542bc4300bf3893d217389ab04adcf04ec2c20659442b2217a780a60e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
650622c8801965aac948b86fa1c58cf1

SHA1
185a548035f6c288d5b3c26764f79c11440a5e12

SHA256
f4333af3f841cdc81e4346ab6985dcc507b2230e6c2a7ee4975d9c2e1170c1e7

SHA512
7ca51db7ba18cd13702b4763edbe20063d9599ad8c0302f5bc716a302411c169534fa7f4c984dbe957ea3843f07bfea8a2d96b3bf9c3f7118c0089deb3e3e23b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
d954a2ff00e0e32d93ba132375151fe3

SHA1
6bb5aea6d250acecd6dd9f8cfc76cb5a3d814533

SHA256
cbc3fb6251f25270f4fb122e5119cb1df39b704447f02713665344f1d4273684

SHA512
a3f7de23728a4fefb765763e8cc7a8e99a1e5db0d62326712cf168c8426cace11790d4170a0db06c3efc6792e6e37551c7f7b23f16de1dab5549679ae9220f27

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
49d85646cbd1aaefa6342b4d54820aa4

SHA1
699f0797b4cc5819ab84cd78770bba81ee2ac583

SHA256
c898611217c4d28aa7effe1e0b9ff1f141b034af162985fba5f31d2cff764e98

SHA512
f6c6d73b0bbce99acf4805e07ffdd1f368962703cf7ad009fe813e2e31cb183a1c1083c20307398c5851901daf355f98ebdc9f1048902b9bc43843c973567f49

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
87434f3879b02be4715dac92b2279687

SHA1
ab8487142b16cea1009d13b81fc3226fcba11a88

SHA256
9c29a40ed23786c08fefcfdecc27983c479b66294023fdd0d0a05d4cee9727ce

SHA512
253e56ad741a328855a856305b70a0e8209f9798e89bde2904ff5fd930cc8088925d4adc5887731d9abf4ebec3f6d93468199403c20c5e7e76aa595f4bc4a83e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
bc9439610eadb5e6e852a3fce4dc3cc5

SHA1
d7ead4a46e39a39bb74313652d2360ec716367a9

SHA256
dc4d43a9c06501b1526247e015e35481acffb3bbb6f80eb17be308987dbe9bca

SHA512
ce81b87c5499ca7034a004e03fcdfc57fec6dbfb9669d699406a2e6d9941fa36708a7412280944961fbb03646abc0d97f4e79d3e57bf24a69374e5df603d4b66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
b62de7cab2f19ec7bf6afa40734280ef

SHA1
ee480df4d7448936e995f118c9b738f1482594aa

SHA256
dc7e8932aa794734afe7e3a1d826b8b62cff2f88a3d01d8513103cc8b89cc633

SHA512
1e3bb68504255b07b45b3b425c37513c0761e4d2bf77093a77ef40c2713d48ee7985a1b5085ac9b3028e19757575078138a21b8019c0203aa3cc234de63b18da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
92380031e94ce22ada751f20e60057de

SHA1
5720b16d1f6c2523332586ec416d2821d9a108aa

SHA256
8fd26fe016af37c96e018040e5c4eccc153972ffef4f5019e256bba051b788d9

SHA512
7f7860f83c3c63eb7fadb902f45ce278c5f890b35474d4d660e037013645cbe08368700a6f8120468d6d517bb0ac5578bb2cf2b338a208263fbc0594b9a0ca58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
f177f284d4beacad7b0221d078d4f373

SHA1
54719d74494c56ddfd689afed49770467d013dc2

SHA256
7429e36a72f248b7df3b79321216aac70411de2de79cf2985b15257c99764eac

SHA512
a220490af8af4b9afc952d11f16d3b21ec04b0da69814ebea2b85681dde388676629eb0ded8e796995e2efe823f53bc80cb51aa5398bc74c13ec59060099bbc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
958c901aa9c165c15d691f0b77a560ec

SHA1
a11ce5bc9dbd04a7e4533a898e45467c9c7b0628

SHA256
daea22bcf9075ba6b2cc5d1432bb4d1f14e7607b53fcf0473a4320d34e57c62f

SHA512
8fbe26657c80f079fae718eb307678a6d624970151af637fe59e9bf6e24c43b1c72ac3f9c99483bb3e59cb45ab7a8c873e53fb9e45513e7ffdf3f06cbc074cc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
833ad360f5b55ab7070a125b58fac719

SHA1
63005361b098eeee2ded05fa2b221d82865bd8fb

SHA256
9af5ce4057b9775b0ce33ca3eb1eb8425cf5a7a3098abdfc8aa3bea3454bf297

SHA512
1637c8b20d484bc0947946355cc11f60201702e5a7fc7a8e35666f1747022efc24ed59e0abff0cf8cc20f9aadf7c42e436245b60a486c7a5b1aa8880341264d5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\bmadamqi.tmp

Filesize
637KB

MD5
f665752c631d3cfd135c4f59105b2670

SHA1
e88aad202ebb014921ffd00402bc5354d99bb0c4

SHA256
85a57f7704b0c765028fb041ba70fc8042ff0bc7f4331f4dea96b887efc343d0

SHA512
997666d56fba0b4568a959ac8f930c1a48ede017c941f76e7066b3b0403bd08b86dfb37ecbca7ab5be238ad51a017d65f142eb0975425f453075bc2be38b7fc1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
e945f0cf0ddaf63f52b0c0e39af67b51

SHA1
d4c6a2e92386b45f744c209403347096f813fe71

SHA256
f82a878b8d23e13eb793fcfdc2114799d762e7f44d508af701b384c81c396ea6

SHA512
6ab69dd5cd87ae0ba90bfc3884b3a693ae98ec9fa19d97628435d5cae74ca2643e65a11f3cb9cc87e58df5680316788b111693f67d2bc74f3acc41b3b00ef93a

Download Submit
C:\Users\Admin\AppData\Local\jpjmqeer\fmpjblhh.tmp

Filesize
625KB

MD5
8f0b65c4d8c4314ab1dc1d5294aba9c3

SHA1
f127a4d61925de0b417872e98f099650f3cc4ae2

SHA256
cb60c5410b0c3d44fe5ed314d1101f4cb11d82e4d4ec6fe5232a24decc5ed236

SHA512
16f8a60f2ba2f6dbb2d38addca3e48f797b9eb608b0fe41eb9dbfa64fb3ff4b6d94a9414b84c750235f9c8c34838a2a0b6da8e611193d83e4faf491e5a69213d

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
73ff76e85bf1515fee3fcd5f6b09a482

SHA1
9ae5984ae354cc8d2bc8b7b0e3ffcebacd0eac79

SHA256
d846ba36c2e9a842e4bd15184a29d74f860542b631144aba2a604ac7e9ea9bb5

SHA512
bb7e9caa4f883d24870ac02a870a66b3c2f890e0520a2e0b9e5479bf7c5c157e7e5b48fb7c6d7ddc9a204ee1104966740eb5c3fd96426a23b068353bc31a98f1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
12c318b7ef319e032a33bc93c3591b2c

SHA1
32ccaa6f536de50bb416de26bc6db6bf354b3f42

SHA256
64efeb16a81565b43782ab127c5ce33bc630a8e4de8af5ad845640a947bacc66

SHA512
851b15d7d1f3f4333d7dccfa98f8a7afa2e02757e7db0933e6117eb1389081c3db2ec899b5add87f79c8d829449f7fe0ec3d698c04729eaa223b92473f058741

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
56836076a427832ecfbc5e85595cc5d8

SHA1
5e6205627a2a341712f22622bc338013381a2689

SHA256
18c994c73f1f649a01f7fa030b8ad280fb3637f775bc799b3de547085b6fe1f5

SHA512
14ddc16029168effeec083abce8a20898b25a0fb8b068e482de02340e3b65f53cd86dc98c6956eb54e55b54d57d9c9c31812324abc1070436237c41867fb4c38

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
05e3c7560aa19b54522526b1acbf9bca

SHA1
84ef9940f60dd0e531306a8bac8eacfc3527249b

SHA256
bf25d64c18d7b1f64562b71f56b165f010f576d9c1e847c565deb75bba17e555

SHA512
399172cdd19d77378d65d2267e17dde23641b44a2d8f9b6a463f0cb4f9c499f5035bc6f88bfd264ec6bfeb5e3ea4371aaf0703812898238858b4f15b02131262

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
44a506fc3a2a0b003ca9764d95a31a98

SHA1
c7f51639a770892508284aa3459a5241a5271f6b

SHA256
dee41d7a0bc8b84e600e9c217b45ea5e26fa75496923c60bffa8fda1a3f535cf

SHA512
18ae31db236c71837e88e7122b6c6076ac98f7ed0b32fe0993a8d70e4738d410474a6f9d379b73fbbf3af3856d64655ebbf7813da401c11ced322ecaef87f06c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
1e9f77d4e01c8babe0200a5059fc3bf7

SHA1
318e214376a112fd0bef4055a9edff66f13757f8

SHA256
3962f8f60dcdcf113ce68166037671797f479a10d41db2ea1fa45eaab0a82ca5

SHA512
775eecc55f06a04628fd0e09497d0b5454fa28f5da457b588e99af84f39b3728f59d19068e1134d52ce2f9ab752ee05f5c3cf4530e52364e2ae604cf4499a3f3

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
5419af6ee9a72e910c7e11b86aa15e32

SHA1
8b9c9fe2c00ab4bdb844b11fb6a4b7dbe5a19783

SHA256
5effb6c9a60ca84ebf3d85696641d2c1da948b57415c770033149a8f1f21ddaf

SHA512
c39df34ae30ebb8a205c0512152cad0968f3c32517a36cc2fd9dcdc27f2cb1362a3a2cbc54e9f55efdcdebe0d099bada8375e5b91a02bad3cab33194f7830e49

Download Submit
memory/1416-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1416-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1540-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/1540-57-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/1540-64-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4076-49-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4076-47-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4076-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4076-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4076-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4520-48-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4520-55-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download