Overview

overview

10

Static

static

3

JaffaCakes...75.exe

windows7-x64

10

JaffaCakes...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_c4e91c65f60a9a8b330485609f718c75.exe

  • Size

    406KB

  • MD5

    c4e91c65f60a9a8b330485609f718c75

  • SHA1

    adf44e30844dc2cf0c9135811451e8f4ee234d2f

  • SHA256

    622d11aa1788672b5e591214187ca9a389d86411138842944fe79291b357cc95

  • SHA512

    0a397c36336eeb828096692ba1a722e2d4b27d3002d03531e251dfd4e0648751b22ca06070fe18ebd226b3d16f35fb57eae1f15a53c86e466f1ad3fbbeb07e82

  • SSDEEP

    6144:lIzfx0tsmxGjd9suGj4IDhAJSbnVrw8/LppZ2oqIqOEhspJ:4fqOwGTlWLN0Qrw62obqap

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4e91c65f60a9a8b330485609f718c75.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4e91c65f60a9a8b330485609f718c75.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1056
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4340
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:3544
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:5096
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:452
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1924
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3376
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3496
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4732
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      6cbc1789d38a3b96307cc0cc5116dca4

      SHA1

      65549b24619e5fc12308f972c465a3039a0fcaf6

      SHA256

      7af7b7a30e809f4d4dc2db03609e248f7f5e552cca246c7e657b7eeda8e1423f

      SHA512

      c58e1202155c2be41d116eb1ec8179b9a210c5f8cc72765498c2256bb43ee5212d119a92a18fc95efc853b9ad97941a05ea665b895ed8954867734c0b81431cf

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      70acb95024e588b2d755bec3ee51d8c6

      SHA1

      498b1e96ef143d5177f743a0320a464a5f87c7f9

      SHA256

      108142e68b3fcaee6fd9e8575923e0938b54467f7179e115a701617699a2e490

      SHA512

      05d3f5858e361291ca431f33a29abccdb6ab0facfd454da0a12974580cf716e1a59370c8c49b7ec4592f2ba3b29e8132de556539b40c976b5a799b74d0c1ccb5

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      26c9724e53e87cdefab3a2d7cd678bd4

      SHA1

      e8da311e4bdaa8add981de4af055ba38a83ccad3

      SHA256

      a54ef347421dbf03b293c36f76c465fc1a389ddf32ea76ff20d7465637164723

      SHA512

      86a7bff1180570f344b87b41fa31af66dbe9db54bb92a6bdf65a7d4869adf577b56a55c01e3a4111fbe566be1be5c0bafaf0d579f0d4d57cdabcd4084cdbdfd7

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      57421c4e5e3cb2eee88cf23f80d7afcd

      SHA1

      85cffc8676f95f3f0c8215bcfac06281063ff75d

      SHA256

      4157931364851c6e9368f71505d794bd15ace71d549d887160cb9900539c2027

      SHA512

      c05351e5d12d12b417109ea363c74f8b4992af76693170e887ca29e60f53dadcc198f3ca78b860c5face6881de2712f310b41e99ea1b7b3b2edfdea7ceca4153

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      b173b2cf498f1f06cd20c03db20d27ad

      SHA1

      0e12afb7868d1b541a286a683ad671c021a121b4

      SHA256

      2fed87ffd0f6025c60d082796b626b533d89f6900cb633d5a7b3265c3cbbf806

      SHA512

      4c79a866ca54104fb1f366f9e4197713c2bb7961dd6db728bf1cfb970e38f3e66a69e5f1a15bd43cd5c46927826f52cd14f3cfe2a216fc07d230d40b0887b158

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      2eaa1680a67dfe3ac23e5288446b428b

      SHA1

      0cdabc9b00730f4744e02593ec03da007f5d8296

      SHA256

      483130fb8e6356202ac151366a13e71ac4ad0aa78d86c0c33869ec0472a4b933

      SHA512

      4af9fa831e5ef00613c500bc679492cad77e98baac5bb83046cbf3a56223514751d7c6c0dd3d5a5fd76a4c19d522e4b9145f02f891b122f63f7f8da19adb9fa6

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      b42a73e7e320f2382189e016620de80c

      SHA1

      a7c8f83f4893e714da660417a68a697b14999b26

      SHA256

      95d77078d2783a1a096171e7bc05abc6301b9e7c7eff8bc0a3c770102a536654

      SHA512

      7f54b32c9af281d315adf56a7080c16f065cd927d06a1b38ecbe872e7523dd948f544ee6e205d7505162634a8a441bf0aed6dd1d57af27f7d616904b5544c878

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      e047691fd4429c9d89571d57e1c0b29a

      SHA1

      5dd5837fee145b09201aa5be8eb8a14d43add661

      SHA256

      d767d9b68b0660d8c4f3af5d86b0d471855261501f6b50006447071dbc29eaa7

      SHA512

      886227bc332c647582ddde2ee558ae09303fefa047d664688dd5a8cb0e041fb4e022862fc494694d373b56b3a75f9930608d22470fc5eda60a36cd841bb4e2cd

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      40989293971aca95c61de272a8f913ec

      SHA1

      1e21595711ef99875a8bfd331866c655eef03f10

      SHA256

      468b0309b3a16bdc5ae2df6956aa523b77d6264f52bade255b9eb330ca82caf2

      SHA512

      3650999931345d72e64a7fd3867a762b3159da29783519f38b896c9c1af907db152afde8b07e7e125261fc1a987f1151339f38813ac24e9e2106a90c924225fa

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      5ee03710522b4a920b75851c3bada2aa

      SHA1

      011b72e86e160b8c08bec5ca0c825ff895b4ac02

      SHA256

      76b16b9686f7033fc88278da16465a57da5b9564e44f0fafab63da82c24fe166

      SHA512

      c2e5b9d5ea00973485ecfecc0c61f5c1de2dbf215275d33d99b60861f582f4eed667ff9895a69872210864bac9ab5fe8669b626c668a47b570c4d80deb0e89f6

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      6726a3c3b93cc67677455294812dbd1c

      SHA1

      7fa8762d6d87025188e79159d76dcc4091ac1cb0

      SHA256

      c3db17d6e3af93099862931f1796f7109f5e677ae0ef608c5de2a67963297b0d

      SHA512

      862dd18d6a03ddc21e02ee28e923ffcdf1bf9a80fa106cec34e66acb539e9952dfe6ce00a94acc63a959a4c14910a1429ed5b6beb228b3aad0d566de525b7932

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\bdebnkkj.tmp
      Filesize

      637KB

      MD5

      962782acf74e8d3756b9ea4c72f391d2

      SHA1

      605c68f53864771e6e6f2c53f2217a663e9aad54

      SHA256

      52eb9e7040f43063f90f77cb7920c63cca7981b6e6984526156283b02232b1bd

      SHA512

      018be369e9be35919eda4d6fe0ed9ad3201cc26d30ee9d260eecba3fab87129bfc8d8bcfc4bd18e023f1a375d8cc00c4a4f148fdf0cefc66f5baf1a1b2510725

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      409da58aec89af9f31cbdcd96d59ffbb

      SHA1

      73041f164d60c697984808a1029332a13d9e998b

      SHA256

      4d25507a2b057e038ae6c4a4ad49a299152a232dafa1faa81d2be4e6991591aa

      SHA512

      7b318ad25156c0fce6b33514ed9c0c4dadc2d5d2dd7e8edf67491dd47b48bb9b179194aa0533040daadd6c8432aa0c4ff34b802e08ed4dd4d2c982315f401103

      Download Submit

    • C:\Users\Admin\AppData\Local\jrroqcjq\ajlfcdgj.tmp
      Filesize

      625KB

      MD5

      10896980cf1b3ef79e99de86d9f32306

      SHA1

      93158d51c05fa9cec0549a5ca8bb724b5129b4c8

      SHA256

      89489eab10b37f27b17349921e83d5bdc5e2a7ecf78e7a0243ea6b1f9de1987a

      SHA512

      c3f73c2e6a23b94503eff1b5f6ba71442477fca3a5b2eba7f284a83c4f247972dd755971288fe89b5ad133d419e2d6cff51327c3d24cf1f964bf36dca656cc0c

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      03bf743cc778d8277a416979cdd9ffb8

      SHA1

      0565c6c648e38286783a48001d65556529128a8b

      SHA256

      d1b40dc592311e9a725f23d4d3a36ab49b17172d9f4a13e15b721c9d99b7525d

      SHA512

      caf0f01a416126a8c1e83bc0eb8ca1f0e2809d7c30679fba1eabc1fcfc5d9d6868999c1ed97681fc18bae15e2936c1cd87d1f892fb9cc0a4f6ba4d38ed536132

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      f59ca32735b55647bdb5213b05e5d44d

      SHA1

      9d9a5fea79c3545d3c624ba5405f5f22e1ea2292

      SHA256

      5ae1a89535d6b46cc51f56f41a0be6bf66a2bb26a58419ee5bc85877f58fb79b

      SHA512

      ff659221f2393c41dfd501722561f9994b173ffb2d5d92e29856860785b7b2b67a1d51947a485662393f55ad7ad00d5801bcf692d7dbe513438a31cfbe1f7fdb

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      a5e55b2f567bb7a3ca3b5e83dc4a4702

      SHA1

      e8a029bc3bd0a83923e5b24af232a0086ae17394

      SHA256

      ebec5e79f6fc7f864086a8d061e94e4e37d5d4e51a5caac083fe453e9862293b

      SHA512

      3ecbdd892d1887461232a38a3168af42451e6fa95f8f585c657688bfd3cf10ac9abdad6e6c418f918b39901e7936f0eb405d515a27879ae8ba164df7dc75c204

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      1583487de3d3323932336efa4d6ad902

      SHA1

      fb103f75a42b2715a1d78d6dcf113cd028cd22fd

      SHA256

      7e54a09cce46b420faefe3005a27d5db0af492559e4c9fd2ae60f2c0c470caea

      SHA512

      c76fd35268d48977909958a7a7a95aee498187490ed16473c004c1e5c70168c91f44f8427e15cb2e57d5d3b4ce7c0ed788fb6145ff7f1fce3e26104394bddee6

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      3485b8b5bbf2a958e894f0734f000022

      SHA1

      1fed16926d960640718ce2f9e6130b0dc51e580c

      SHA256

      e999a0a8023a0d43332f8f49ee603d69e7f8f452fc13cb864ff29fbbfac8d24f

      SHA512

      e1c26939ccaf7ebd0c5a15688a08a45ebe3b75d6d41f47e542a7e666a746072b287f2a8c18c007f094e269aa1684b7d31a3aa109a9dbe2349495852744de52c3

      Download Submit

    • C:\Windows\system32\msiexec.exe
      Filesize

      463KB

      MD5

      4646943b62ccadb9ee90c450c60eca53

      SHA1

      2c0f5f582f5209c745a9d9213d3ca85f294c1f21

      SHA256

      3fd3cb68f605e37dc9ee50c4579e3c091fcee6f6356238ede9b12e3c2954166a

      SHA512

      f8bd6df9ca72fa5ac6f67f6e16796dfa138774aa620fbd6ba08364f0006c6c62e7686e5fb896088d2f5a86f5a93e2e02fc34dc793c450628575de8e449589c68

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      345d22c6678930d44430c1d468a7f23f

      SHA1

      1ad4d88c7904b2c306a01cb758cbdb555a30a923

      SHA256

      42e9788d817adfb17be68f3d9879e2550d89c11ce512060d8d74f82c3249a374

      SHA512

      84841fd5a1498a582344a2d1c532a0dcc4460b4e293f2e3a923aaa031b9c7211a65bebacc6c726a29c3be09e99d59cb28b861aef1e2f3aeaf361f6d39c00d5b1

      Download Submit

    • memory/1056-0-0x0000000000BCA000-0x0000000000C5D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1056-5-0x0000000000B60000-0x0000000000C5D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1056-4-0x0000000000B60000-0x0000000000C5D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1056-2-0x0000000000BCA000-0x0000000000C5D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1056-1-0x0000000000B60000-0x0000000000C5D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/3544-59-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download