expiro | 6b2b66264d21c6b51489406ae6f8e02c7522ce39bb3c3cb5a8bc694f640bbf66

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
Size

625KB
MD5

d3d2307888621834ef1180f905516a30
SHA1

d0dc3acee8ab987c522d83fd15b374d663188064
SHA256

6b2b66264d21c6b51489406ae6f8e02c7522ce39bb3c3cb5a8bc694f640bbf66
SHA512

20704c2fe63102ecd92fbb98b9c054bec3b76e0b9c79b3387198ddb6ae95ca0ad22ca74b7cae0188c70ac7fc8c73ac074923498e79fbdc64a94248aae78fdf77
SSDEEP

12288:XVt+w8wyv/Y66WoJM832hOvHPHlC3MXGimg8KnpMgq:lt+w5yoDJjvv0cXGZgXnH

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/4560-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4560-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4560-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4560-47-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/4560-49-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
3216	alg.exe
740	DiagnosticsHub.StandardCollector.Service.exe
3352	fxssvc.exe
4812	elevation_service.exe
4500	elevation_service.exe
1368	maintenanceservice.exe
4220	msdtc.exe
4640	msiexec.exe
3036	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-493223053-2004649691-1575712786-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\K:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\M:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\V:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\N:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\Z:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\Q:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\T:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\W:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\U:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\P:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\R:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\Y:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\J:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\O:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File created	\??\c:\windows\system32\ncqediff.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\ociampjb.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\SysWOW64\phjljmlm.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\lobgjccp.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\wbem\maidmajc.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\gdpmknfh.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\SysWOW64\jeodfeeo.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\fchanond.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\bmmokben.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\egaklogh.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\mdhqlnfc.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\kiajohaa.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\bojoechc.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\bdhpdhmb.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\goaacnjl.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\SysWOW64\ejfdihem.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\system32\panlnioe.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\SysWOW64\ejkgpfbg.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\ieoadoil.tmp	alg.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\gpdghekg.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\kahmiqmg.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	\??\c:\windows\servicing\onhljpfh.tmp	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe
3216	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4560	JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
Token: SeAuditPrivilege	3352	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3216	alg.exe
Token: SeSecurityPrivilege	4640	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3d2307888621834ef1180f905516a30.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3d2307888621834ef1180f905516a30.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
2f7eb339e1bb8120f45657844844bdce

SHA1
5aff91db0e22917c2536d923d482052fd1ed3ffd

SHA256
bd42ed29bf14a16828b53fd57736712830fbfa9250faef38eb8348644b0688dc

SHA512
bbfc4aa670825648b5e2cc58f7a7e03dcd9783cc0168ac333bcb7b32549d31cbd8e5bdf8593054bcd6dcb1b3a3eff64dee95b828e3e396dad1c10657aee2b4da

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
63d18b8b2cfedcfe37a575049babea18

SHA1
72a00f01be51b7278589ac5b9036d31cb9f8ba5c

SHA256
2f75d1d27535cc0b9872bcf949376536a2cdba60e8e130813c3b86da776708a9

SHA512
c58b387171f79c096014fa0a9e14f3903b0123848471aa64342cd5beaa5ca08e66214d51e212f1d456071099b98584c4e07b9a5b3e670e555a9933d2e3ab87c9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
8f8abd738d53db9a0cff1cd5c5b2e87e

SHA1
bb9010fa1eb2061a8c6b4fdbc6a83c6264c1756e

SHA256
030a2b2cac5896211e8ff82a25141e29ca7b369216461ce8c57e8a01c1c053d2

SHA512
8bd7cf3e4273011e629a0df1c1de2e9c2df00cd3bbab7d3461a317032c752dfcbe127e563454efd68dc35abe35876aac2dff39e6b87f499cae956f9c1dfb7209

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
dd14d9d0c7fda013879174fd1dd833a7

SHA1
33e7ed473bae6950732fda122519a66d622b1279

SHA256
7949af72af5e00b54e38bfd51af4df34df9b965957d5775349db2ac9e9a1a030

SHA512
b674fcafffc26132ffacf2ac0caa2abe02bf85d5d18e5dc4af88d32a0e84319518e1aaedbf6f54e56652e96effe1e8697bbcc2782c4e5c80458f32abd093e146

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
638d3d2015bd2236c3766eb9ee16861b

SHA1
418700edcb7b53cba4e4db20d33be1abd9ba7d41

SHA256
626f6f69394943bd240e88448bb3db1b2e8b2c3ee318d491b70af77fea54b411

SHA512
19d3120362832a3efe9a8b20bb18c7725b5ee33f2d3f266837987c8ad2767690725446e61d5a85521d895980cf218ce57a18ae10af8db07b165b8027e72a6d29

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
868a1c44aefbaaf80fc6acce4c109a50

SHA1
08fd1f575e398aa900c328a743f49aecd1b2f880

SHA256
39434e2ec7b946324b0c5781b8a1a19501342468e8f15d0bf32889ddb06da9e9

SHA512
91f9c770cf12f4159e71364aac580d89c308eeaa9a540d1b6582fbd8378c9ba3617b51f5180300881f3587205632e1259fa8b59b52aab1655905dd11015ae245

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
eedd802dc63680b92c4a7533e09d1f39

SHA1
267aacdb9c4ab12c4d72a6948579c565f0e2fecf

SHA256
68976c5d558f70a3135444e3441fac5d16a0489a66fd879cb3cc8b359cf234ec

SHA512
4a1e69567cf2465d7278df45e01b9de7c6dbbde221bb0e24782d6f315c281f8fe1ac3aed2db0d9a745a9a60dea8b87003e34b7bf140d70030f948ce8708e98cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
23d5251563c14cac48fe77211f4c878c

SHA1
3de2d53185d8f12831a835b4b8690ec7e75b85d3

SHA256
470e62bf19c104b03d0334c7f3076238ee7fe952d8f6bc4abb5adef76babb0c0

SHA512
dfdca3394f79db278360b4ed2929391702e3adef32151857ad8c9a7629e105846826fd9594ed6ac3d9c10c94fd0be4be6c79cf6c8ffa8494a490c80aa7d054e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
9727169782ac0010dedfa5457f191cdf

SHA1
ebfe5e03fb5a3a32f106224bf2407b6727de5605

SHA256
d63875a7d6bb720fae13722b63a069364c00f0648f42e58889fa237897129552

SHA512
7c23720868c5f6e999e40abf8305873d1f5d0c1f7f6abd33f21fef0f58f0a007db50abab57615cfa2b247d89dbae4c9938ae1cf9ab0dff4fcd137affa764121d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
b2a794a1cc55832edd8b357334d9046e

SHA1
fc503cfc71ee5d4c7abcb9788d7d5261f670076f

SHA256
8b95dae6d6757371ae84a041d1bce279336839ed9beb942ead470b23f30fcbce

SHA512
6b4887a201056b427ec335ed3b49a02a65249c6bd81da4cf92d6b60855f23bac2e2615f02b82f5dbb7ad0bcb0c4199e64b6aeed49a97b289d53ede1d381c43ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
91f3de0821bf395703b4c2695d34d270

SHA1
e0e2386baeeec8c11c79c5fcdf00e46cdcab1784

SHA256
0c30c17142e5f760a122e695937aeec0e7460cc1bdcdfee4e8191831c61ed6cb

SHA512
941b8078090b21169cde70b83b2d48961159bc5890df6e475482d84bf3f9db75690c642d19b7594ba75336358251eeb0beca15833bdb919e15051e894c2adb1d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\ieoadoil.tmp

Filesize
637KB

MD5
c04efd658b79c45cd5f8d6fd8f570738

SHA1
d97ffd454cbb6f35232d120052d1eee2a3e91974

SHA256
08c06030badea91bba306d8bdc9732325f78077601ece93fd79d1d195f21cbc1

SHA512
48cac7411705c87820334697144738f76ecf23b90f81936893ac83fe114695e8c282aac9f126a784df25cc5f66fece94c8eeb76ee37514b2a0a1facddbbb4b79

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
155bcd86c8706ab32b9a27d4f4f2b0e2

SHA1
a241ce50cc66e870f5e85de2ff9d2ff0986034e4

SHA256
75790168c447cb6bcdb5fa63124bd8e47cb686a49a4b09167d0b85e30cd753df

SHA512
0f19b3b47f72d3059993fd0e8aac184a6ee0e36a66d8ec86b8648ae596aab2607beda495b06180cf551e4b6dfa36c954792d7820fb88878ddfcecb0e0bfab7d7

Download Submit
C:\Users\Admin\AppData\Local\cmkqbird\highbold.tmp

Filesize
625KB

MD5
a7e4107ea37946240bc3a7461a12b991

SHA1
ae3bb2f827488ce223f37ca499d4b74123cea27d

SHA256
adde7a9bfcb651bd1bdbddeddcba8d4783e20ff594f3dc052814f27966ee9175

SHA512
d1deb9e65932d335d6024726250fe4ad2faf21e9d7825ce60828a50368c3114dd1a4c837bbd7cb1c7c81272a1ea1658a11b8aaf319b79e7696b8d5465fa1a817

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
dc1a2fc46734bb7ccc467d2c6e00f277

SHA1
11c88c043f05c3fd5c4f496dd266e60bcec4731f

SHA256
b85763297d86d744914a0bd78e2d20faaac02d8f753fdf5a14207449731684ac

SHA512
34ad1884d308b0f4b1a0a49ead8cc85c350e01ae9653b58e5bc72953648691dc0b1deb6ba06c0ccef3b9b37a4c0a259459d3d9a037da3ccd32bc16b996ba9b8b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
4a7e43140b473383dd254bf8f5c560b8

SHA1
bf0d7b9745a9de8b7eabaa66aabfdf104e8789d0

SHA256
4e8f0678991a627d9d3416b50bdd810585bbebebcdffa2cf37440414b6037868

SHA512
84b21b28e9e4bd252507fd7a7f0f4010d76f73142c7c30ef6f35850101e299600fb2b38abfda6d58ffeabd14254677ffd509d876fe44121a812c879ccd53160f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
fb7f99de35577ea3387b4810befb14cc

SHA1
7b8ddb9342f5af8c6511690ee554d1337e3d0ad8

SHA256
4c67420558d91108acfb4ab9baa7887ae70e13ab17767996c8f8733fed50f919

SHA512
d73a72a2861bce08c28ac3f89fca425fc56d86c2f5e620d5184454093a767091eb27f8cdff450790e8c13824f0cf002670e2441cc9215cf6bd85d86ad43e5376

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
a10f5c7594c2bcf5c16ef0a0fd495f47

SHA1
0fc6f9517c66500058ed359d636e7032128abcba

SHA256
c6d96395a80763e69fb4bc44c1177c0388d014435eb1a05233ed885bd54fac72

SHA512
bff82b71dce492202d0e88312ab212b9b57316ae84ee60ec5dac9bf10138ee8804bf34df0c94983299c8b47d5f817600dd6dcc0b6331226f43b2ef27ce3dfc62

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
0c13f918d0413142114cd93614b31109

SHA1
c45114f9126683c5dc0a81cd22ac45868a02949e

SHA256
22b1dff753ce16075a9f61c183e9b468b6848bef961d923b05a4d516b12b73b8

SHA512
546b567d3601bf8946d9a48f1e8800869591f3489778f64b8007d5b2d8e6d363c9961ddcd04a088acd37668a1e5a3791ca1e109f8f05fab8e3ad4d599727dddb

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
5d6f6c35c9b0d41605d23ae5988d6bde

SHA1
20f02a283c6104e0d219fe62da06e8726da302d9

SHA256
5eafc66854a10ae3afa274cf5429f25828e7eb45459c99d1a9efd215d24956a5

SHA512
2458da6b012de3af0122f6317ab92e30ef6589def7334730017befc174619836720954d99156d7253f20520255fa0d2f3ea29199deca49bee9952a79c4645f33

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
7cdf603b474df8df381b4bd937d4114a

SHA1
2cee332f0d7ecf0a61ce2c198cc14b9bce5450a6

SHA256
6f9b3da77a1d455a0ba3071e2de40da113587451be4d00183ce7abb36e668a5e

SHA512
ce807aac521beb0482f7cc99d854aa2a6a02feddc9e78133e4b6f480e5a3e816a7d44a0229ffefe50ada8c16da55def9fdd4687a641dbbf6835f722bc89f2870

Download Submit
memory/740-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3216-64-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3216-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3216-57-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3352-50-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3352-48-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4560-49-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4560-47-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4560-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/4560-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4560-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download