expiro | a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
Size

406KB
MD5

c8a46327ca3a8a0a5db01c32ba508f20
SHA1

0e737ae39d373dda72816d12737163ca068a7716
SHA256

a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625
SHA512

468b8b3a828a43e073af6d4c02eb356e608262b1496044e94d0d161eb1976f6d03f6fc23254086e74673a4ffea5ab9054813feb8c5ab0e18e3c5a93cef55e980
SSDEEP

6144:KIzfx0tsmxGjd9suGjWIDhAJSbnVrw8/LppZ2oqIqOEhspJ:1fqOwGTlW9N0Qrw62obqap

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral2/memory/2360-0-0x000000000047A000-0x000000000050D000-memory.dmp	family_expiro1
behavioral2/memory/2360-1-0x0000000000410000-0x000000000050D000-memory.dmp	family_expiro1
behavioral2/memory/2360-2-0x000000000047A000-0x000000000050D000-memory.dmp	family_expiro1
behavioral2/memory/2360-4-0x0000000000410000-0x000000000050D000-memory.dmp	family_expiro1
behavioral2/memory/2360-5-0x0000000000410000-0x000000000050D000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
220	alg.exe
1916	DiagnosticsHub.StandardCollector.Service.exe
1176	fxssvc.exe
1356	elevation_service.exe
2312	elevation_service.exe
3328	maintenanceservice.exe
4468	msdtc.exe
1820	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4050598569-1597076380-177084960-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4050598569-1597076380-177084960-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\P:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\U:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\Y:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\W:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\N:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\V:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\Q:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\G:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\R:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\T:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\X:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\Z:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\J:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\K:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\L:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\M:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\eqdcnaja.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\ofjdlanp.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\jbmimeop.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File created	\??\c:\windows\system32\perceptionsimulation\odaimdcn.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File created	\??\c:\windows\SysWOW64\lmnoaoli.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\bokdepef.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\ekiacmpp.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\SysWOW64\pelbobbj.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\lgicengi.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\onbfeieg.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\SysWOW64\kfahabkm.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\gjagjoke.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\diagsvcs\inmgfgnq.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\omoggmba.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\system32\hncbnbbf.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\windows\SysWOW64\aokpfoje.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\bonlnqnb.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	\??\c:\program files\windows media player\gmbmlfaj.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe
220	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2360	JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
Token: SeAuditPrivilege	1176	fxssvc.exe
Token: SeTakeOwnershipPrivilege	220	alg.exe
Token: SeSecurityPrivilege	1820	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3856	OpenWith.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8a46327ca3a8a0a5db01c32ba508f20.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2312

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
11073bfc2cd5edf788a4da16fcfee1b0

SHA1
6584e51373a2dcaf837ddc5d74263f7f6419f1a5

SHA256
c7c313c8c681c3a1e446c9813f440202642f0126b1cd75e07ed6cc8ddcf2caaf

SHA512
cf010aa23bd243c258a7dbd8d0b3195aafb2a3b3e9e26e9b9e7a59fbb555b35b01d2466b0f1eb6cb99b05a41cab2496fbebc27a7e4a4104888d39a63f64a1545

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
9cec9b6fd409dbc449b63e7e00d7154c

SHA1
7c783f58e4e48726d59a79326d6feb12e541a7e6

SHA256
2b8f51668038653c015962e6dc5c8c32dc9bd330f62a2dfec2290dec36c48cc5

SHA512
fabb9703aa4bf5e8a4a8c25181ba1c3c5f5d67ade2220fe3aa21d47d0aad1ce2605fbc3ff6b626040269cf05348f90cc0578b62cf1813283bc7cb645483bbe5f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
548bcdbf9eab7e825053be851fd0c5fe

SHA1
65d0e164e9477cea7a584031ff004a9cfc5e3022

SHA256
2125b76602dff85f02d2cee68d2e037e748ec5089beba52ffeb86d3b14c9988e

SHA512
f984388067355ca0ced63c955b4b18626253a7de8c41b18e022fefc24e8af88495ca340ee81bd1515ca16de959007fddff23a30329e8ece62e6224c9a9e6a1fc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
f04b5eace639dcb9c1fecf36b355628f

SHA1
5f83bd6b8bcdb6b0c9a99b2e7a7b42fedfe96909

SHA256
4878274fdc82122e4385a2fa2056029b81c26763c58f9524105b40288254392b

SHA512
4b6add8efa852791066de6e7fad292ab0d68cfb24ab7c645aa9d2e9122c6057ce0d4e578cbaa9256a2e77d9a7ac725eb3b8dfb3fead216446489e48079f655e5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
5f34d5fed5ab57a6f2bb9361b506d7f2

SHA1
fad4b3580438e8f506ec33cb077ba588f164ca64

SHA256
cb177c803f0395de73e3c371f2e41ea746fe20a2c7a13fbede96f4ea76fe78e5

SHA512
c355a14e7d5e1d4e7b832c546248561fa88e03998c6d0adfdadd6c207ffe8fd53f2fdc1e2e036c3cf8c58f47608f234c9e4950481bb2237f893e112a81a71703

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
1260f6c29c945c6d9706dc2681fb6f60

SHA1
9ce122aa2038cd9eabd9c40d64b9c77713e904c6

SHA256
673975f795a6d16d639f7ac00378d23fcbb86f1874dbaf17b4fd07913552c2b4

SHA512
16ef2bf114f24ba012c5f09ace4ed95eaf04d65b1093bac8ff67b5cfaf1665199b8005bcfc92f6271c51fa01a7b95e5ea9a19c28e1a2e6d9b481fb8546a7d574

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
25e8bbf74891bf48c3573c4913464a13

SHA1
e7b71b6009fd75d2e1b934429a626b36c28ee0e1

SHA256
f396abae1a8c4cfce0a771911cf66f1c7ef3dde673c2435e2b3b49165d8c2175

SHA512
a052bfb0ed205249511a18835561d4f6ec5b6d1e0c87c7e60bae885968b5031f4ea4574764f7a6fc681ca64e1eb0bd4906cd9f606e20679368b2e01f814eebb2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
4bfb82077f4f2c6da214a5abc7c77d89

SHA1
9e1d4fc4908e28aebb49a7452460a4682fb44b41

SHA256
601c7f285d68562824851b53700582eac8b486bc633a1fe4bc165e5b1e12a726

SHA512
9684069b76574297f26ca04440cb14f7047dee84d220f74c3260d77edafd40f9d7b1c1ff81445d173b3f1bf71a3d8350cd4f04becae409ffe0df5cb8a177698d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
52e6befc8868b6a7b7c055cbd3a620cb

SHA1
a897d590a8ab42c3a67a6d5b6d6fe59b32d2395c

SHA256
72e9d0ea2008329f3f4b6018d68d875c021b242cd571835e2a983617e809cb2c

SHA512
2e4c9463d3794c80f33f0a566269faa11342abc4cfe60afea520420e9bea109742284bfa271ac50285e0c6f69c8d7adb0c368665bf75e552da332503764d9334

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
2db94bcad48a134d23b0b10e81ae7aa9

SHA1
e48a3715182e412aab1708b088d95566661bde8b

SHA256
f5d751740fca2af8f00eb8ae4a3f6e57fd8f72c4f608455aa146dd15a5713d17

SHA512
5f9597019d25accbd3675e533bb7edaef698ca505f9fb74bcbfe2d1cbf17f84cfd3a399849451bdbf808ffc394b24eaf80c2daa2dbd82f1c510abd9d78c6ceca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
ecbe3894fab03dd15a94272adb0f864f

SHA1
32833193c1cc59b0b19bb54efc96df75595d3832

SHA256
c5efc1e80b0107fc2a58da465eba7ed1d5d9f2a04d2ae4056f872e719e6d5e1c

SHA512
3f3507cff13bd093cd6cbc21145489f794cafe2a51bf359d0b9f78585d0c1759bac730541fdc21c2ee14259c93ffdd1da9971250001f7c3a7a0286f3954aba4a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\fjcbacch.tmp

Filesize
637KB

MD5
506b0ebef2f067c6412c41f06d6fa618

SHA1
0b30cc1d3bbb0a70df52ea7a107b86074db7e6d0

SHA256
1556824f4683dd215df850088e0e4d9710af240e073a41828bbee7d19835a52a

SHA512
8b14951b0ea1f102ffd7565ef18b95c6c0317e98f5e1c2bafb8f4acd1d3bfcfe8d94be9e6651e3166a9b44c2c94272cdba511d96ecf6e8f7027043ac80875a71

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
cab07b6c83878a244662d9900f2f3365

SHA1
b9bcae1910c8f28b8bd612a5eaee0c8dcf339304

SHA256
23832a85b080eadd64376a532fbfa982be315e8836fb8ef87ff429ddf67a38d0

SHA512
59d0b51f40f0984563e0716d7f6c96b67aad53b915600790182787bf50cff8515490a733a3565e97c288d57ebef495a4d50dcdb220d41316c3087d3ae00ae5a2

Download Submit
C:\Users\Admin\AppData\Local\qoakbbne\jgpmblnh.tmp

Filesize
625KB

MD5
6d8e7f392ef6ea319a11f49d333d7a45

SHA1
d6fbfbe785f64587534fbda2c92b7ee6df7c01cc

SHA256
53290dd5fc575d779318a8895dbbc7ee2d183895fb37dab8fcee30f8a03f4a54

SHA512
e67309c8a8f8a3719c94fc5ef469e3dde1e54f0f55348dd91be8db3b23a1ee7e0d56325bfb7f3581c801a19a335c8843ce12fc93c552bb620ea6f9fc5374f55b

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
a3fbafeec3eaba55a491d964f57df00d

SHA1
847545bc66ed4179c01eeef2e57fc08ba4ffbd30

SHA256
f576d3cd0ab5ae73673f58be7e2ca5271987b43bfa12bb33da6ff31e53265ba5

SHA512
cdb31fefcebdf941240b419ffaa49a947e1706407ea43d25aa7c5a0502a8e5c909c42f3ca24d267438db7577b3b3603d09c84d4f46ceda1228fd7520c159abb8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
dd1a4105861cc09039f306e7c41ec863

SHA1
6233738c304936fd24f7dc1d3c65a9e1c3c267e8

SHA256
fb6443adc088cf93798e85c5da5d29cdb556748957ead56e578bfb63d5c3191d

SHA512
422745ba38d5494d85f672fadeddcc8c89045dd65a796cf757f189838bb7e76a10efaebf0d3b9681e2fc1800864001fc5ce52538812571df8461d3ac1c7c4dee

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
c4be1fb6c7763a9c8146314f18bc3035

SHA1
44afc832dc2d487598580b25bad3280a496b840b

SHA256
2bc3bb74acd121376a0f0c6363a0c4127d0aa72d1093869d05e34e92cc5c7e1e

SHA512
90b5857abcac3c8c0c0256252619100720ad2cb8ca099f1829b023a1aa3e60271790f982d42f45759c28a166204015e0eee33c3e1d2f072b77cb528a9c07bef0

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
4d1040a02e6183c7109c7e541b3de458

SHA1
36764bd24e49035f99dff22573d8a5d52fec5712

SHA256
06636260a0d1ec5fe1607130d18e4060c6f3bd31bcbfbe5a8df88aac741b0e39

SHA512
d1d864a8c46b3a43e0b9c22865034ae0bf9ae4bb2d15b1b6a22e86f27206b17b8bd166d4d562630fbe0cadad3b39d1e72833ddb6dbf8b75b28a65925a6aa0f97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
d4d52d40a55d05f632c5956e506d69cf

SHA1
95ed034d799fcf699ab771f4c7e81639f82bd0ec

SHA256
fbd7f9d2417bcdb53f74d5f513f83b81d1175799eb4f2162284bc1830ea02114

SHA512
68935a8770ab7502560bc48d7e3f97af3847e4cd0215082c912e131503e82d2ddad55fef06e440360236c54f2ad38785a06c96f9b2bcd5b8c3ea899d93aa79aa

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
4e8a878950c68beff9c328933392817a

SHA1
ebec4f2f728741863901df0b20c6b8aa62f35a2a

SHA256
d4c8a263f8d0b01a02e2bbbc233fbe9291cc899b59b0b0ec737fa7b7a9298bf2

SHA512
558d40b67d6eb1b8f4bffd017a0bff56615009d096446d34844df8394a8a87f377bdda3e2f902e5d89a2aae82d20de62eb5cd6c8ec09470ba51a34c925643eef

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
11d5fb043abb741e58fae58ed18efa52

SHA1
e4204e9d843ef41febf7913dfe9f2d113f9f14ff

SHA256
5b413cb393191edb8efce3e611b52e49c8bc8b0f59bd5acd54bdae8527b08e4d

SHA512
a2beaf57b32cbd46547a629c3c638e67749d4b48fee08daa6b4e19bde811da16c55bd04a40926910d7535220f1dfd8cb286afdff4c10785a237eab6e96557777

Download Submit
memory/220-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2360-0-0x000000000047A000-0x000000000050D000-memory.dmp

Filesize
588KB

Download
memory/2360-4-0x0000000000410000-0x000000000050D000-memory.dmp

Filesize
1012KB

Download
memory/2360-5-0x0000000000410000-0x000000000050D000-memory.dmp

Filesize
1012KB

Download
memory/2360-1-0x0000000000410000-0x000000000050D000-memory.dmp

Filesize
1012KB

Download
memory/2360-2-0x000000000047A000-0x000000000050D000-memory.dmp

Filesize
588KB

Download