Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...a1.exe

windows7-x64

10

JaffaCakes...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2025, 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_cdbb18b0a3903626fbc79229f066a9a1.exe

  • Size

    406KB

  • MD5

    cdbb18b0a3903626fbc79229f066a9a1

  • SHA1

    5a53bc89d07b97c10a688e49c9d6e9f8eb99d918

  • SHA256

    57a611a9f2602fadde42694a864a94b75c41934656d505c24e02e8c154d440ba

  • SHA512

    9c4449fd1601fa32843c05921261ad4d9c973343bc90ab767ecea4d2819d14fe83f15eea170b8d6ec3da3580ccfdc73113b89aaa941ae32197a255c1a6cab32b

  • SSDEEP

    6144:UIzfx0tsmxGjd9suGjLIDhAJSbnVrw8/LppZ2oqIqOEhspJ:LfqOwGTlWcN0Qrw62obqap

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cdbb18b0a3903626fbc79229f066a9a1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cdbb18b0a3903626fbc79229f066a9a1.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2020
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4528
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1096
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4564
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:3760
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:932
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1768
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3600
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:4376
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      55cb381faa07df7b64d160539fdc8a88

      SHA1

      8e7b13918d96d4c0b25b047a0ea51e237cad4604

      SHA256

      9719b3d3c2eb3068d1f1749df41853cddf1fb7d0657ea54e19e76e30d7b14a4b

      SHA512

      73d4248b7b36dda206460d75d2a8ff4574d9dff1770ee0b870d370635e8cacdac7eafe3daca7f6be02d469127706fec6b5ca19f49e452709959840af76dc9807

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      d3da94593dedf68c3f27b31d58c4a86d

      SHA1

      94de0e59ec14fa6fc654a69f4806bdda955bc758

      SHA256

      539c571a146ecc247fb70eb70a8fd60d232d26c15cccb4cede22d4b91161c9a2

      SHA512

      c970202b608924ce26cbc0468fca20fbe1824ac3cc15e47293f2042c5bd126cd01534ee1abb7587f7ed56ce38e11071845445b486e1e53bd51311b1692aaed70

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      e974458169eda0a775ad4c47eeddc938

      SHA1

      8b85a1aaa614b9a2a8bf637a9bbee5df7bd26eb6

      SHA256

      414f62d4c6965fd61d9e64530d6ee1ca62b16c53dc70afdaec16b4ca95b06d6a

      SHA512

      2c044dbed43fb8cec402d819dbc6f86d7b9938783c8837079732750abf224730679a7f3d41a81a933ad9216a6bff97200d610af4fc8604e817aa74661f803690

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      0e0b258111e4181fe9094aba0eef150e

      SHA1

      5a5bbdfcf580beb330b4d580075f14005793bd49

      SHA256

      06aa37393ffe4aa4b9b44675e540802e92b93067c56bd85c3393045d04d6ad61

      SHA512

      44fcd6850660dae8b1bddb526c19912011199894fc94a80fe4b90e2f7dd4672126b7215b9b47121b76cb61fc19952700d5bc0c072a76db422ffbe4cdf2c3dd4f

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      ebffd52832b324b7b2956376c0fa0864

      SHA1

      b49956c6957d96a629b723c5dced23fc558bb751

      SHA256

      91c968069cdd3abfdb38b8492c87e90b923bf10ebc4537a31d704a9a3f1c36fb

      SHA512

      22471592a67788bc4d9eadb1745d2d5b7c576a2191635fb746e67f1b0000b74b32cd603722abdcba7c42ecf5fe6ca8d7d11c5232b8ed66b7b4d9057a2d174682

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      592540fd873df77a60ed4aacb4851cfd

      SHA1

      777a07cd9a978b1ce69ef151c85881736b92ddbd

      SHA256

      888828516259ed73e7d1e276a6de4c4d2fc07b0914b76484167f3b18ffff54e7

      SHA512

      af7cd99444f914a7511ebc1c4adfdf79c5314c369036c59ef4460baa23bb7c76bc061c8af8628b7a01cbd05b3c65bab9c824a459356f0284597dfe03b04132b9

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      f8fecf9345ecf7dc90df74e96db31b27

      SHA1

      01025dd130079ecf205b4bb052851fcd5b9458d6

      SHA256

      7795f821e436ae2416582d5d175934cfe5938dc5c63ff8adab1c0cb3e1101ab7

      SHA512

      521d4cff7a20f70e0c4df8ef81d8df5b53f534c4f14783c22b8d45cfb682611649a658adf3b80b398e6787b5cd91d7d473b624a4b554f1ba47c2bae7a5f1e931

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      38a350c2157d7198404492f87ca62999

      SHA1

      34c376620a4e6b660de50f1fbd376fa26083ee0f

      SHA256

      0015fc948531466b5bfb6f26ff61bb9bd5685b31a58d7ea6bb3a0ec88c3eda8a

      SHA512

      a2f728cec279a9853a7cd9d42cba98d758087d7831e6dcc8e6c7f683dd1c25e11e91c343e44141df49f7856459bfdca0afa5d5921ea51d0d25a8bed99b1679eb

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      321bf8b117bdf9d434e1c26252ea6f02

      SHA1

      4379b18b31dffdde2457e9c3a77db8493917c802

      SHA256

      4a1206684530d340cd2bb75e154707f01aeb2363b152be578356aa303d1ad15a

      SHA512

      bc3da236a77d0c20dec65a525e089fd882bd0233edb02069a050c68c64a619c0ba68c06663e4985ac0279139aae88ab28f8f6dcbbd462594a69ff56809cc76a1

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      a906f7f79c4a9c7460d8d04b1c4d262b

      SHA1

      0f8bb556562406d71d6610f9d3bd767296d38649

      SHA256

      691ff3a8b1a4bdded38ed5c7b8325a5e4e4b8ea42c55fd0c7ac9a6266add3aed

      SHA512

      d09e2124bf659437413b9aaa4d0c96f37727c9b1197c70debd587d67adb383e6b2a90e73df8929f83dd8eb8544eb4b1f1ff973fb51ed3472d4d3d9044d84519e

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      8fb1951d3b482b6359ba39331c3454d4

      SHA1

      5422bc68d81dd9e72675438d292357a8c115b960

      SHA256

      57c3ae729190fe1a114b6bf618207f1b989a088404448981d9290a9c475e3cb3

      SHA512

      77b14d925837c9ae592640045a412c4207d4433117a0834c6f8a4e55505401d81a18b08135177417a307ff8466d70b8f4c5627661f9073459ac2d3c3215ff755

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\aolemaqc.tmp
      Filesize

      637KB

      MD5

      7637b33813ba06af100e07c8093e0648

      SHA1

      cd9e392fa193c7e849c534334988b998ad598b8f

      SHA256

      f830a641ca6b78ec79b6807afc05f4fc3a38d2017eed50230fdb801f6bcc9d9a

      SHA512

      149ff5260aa76e21012cd5f776b0c0f2ba60f4f176f4b79c71a73c73b1ee0e8806ec20707f2987a9d24265c406fc751ea9ff1bf8150a2137dfc03390529d6dd5

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      b2d493563c8bf96ea9447a24ec26b0d7

      SHA1

      6571ff4b52aea920dea5758b5d2dc86359aebc4a

      SHA256

      34303b9df1eecd4fde9e33332d96843153bb9aa9fb6f4c3920edc8d9ed960010

      SHA512

      34102a9b300214157dde6857f4d55650e4e57fcd7479460393fea573410032226d86fa3e8ed7fe7a38c1cce82d914de0849b19d9dc4633d82e4e02a7241f4e05

      Download Submit

    • C:\Users\Admin\AppData\Local\riblkrcq\pmmpngap.tmp
      Filesize

      625KB

      MD5

      2f17295be606d95872a450436bf11a72

      SHA1

      c14e4be46d7b1bcad7c7424dae4b252989dbf8fe

      SHA256

      36fbfdea5936b54f80e0d2e6b29a4d65773a0661394319a24cb7c41c75194605

      SHA512

      675df9ed5ba5c9779b8c7d6a858336c0757c81e07f135a9b0d9325ab3edc8d608cbdab1e64cdd37facba1fd38699761fdd2cd22609100a8d750fc2ba2b4b26c4

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      6f55166cfcb97338d0c3802999a7ac25

      SHA1

      b4802d0d9a598a425a31ce3901e8e9fae425b596

      SHA256

      00630cacbd30aec711093d56cb6f27b35068779b72085674b774e142ebf6c286

      SHA512

      1ad5de9f8e6e20785b834196d82dc1bd364fa388a0f4b4817ffd19d2fae40b1745166a90cbe704070581136b61f03ce9ba66d5362393438cf0d0efb92fb10087

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      f8e40ece0ee01f0ed9205571d35b243c

      SHA1

      f5eff46ec5f23376ef6e3b9ebd7fd1e159fdfc74

      SHA256

      cf651ec38bd36468f6ed758feb325334d4c0d5335c87c104b9cb7567f22e0e9e

      SHA512

      ee232534cd0307d996086290a7a02e8364953b9a5a3033dd7c51db8a786e20f53bb158449a3b98d49ee5cb7c0f3453c35b3bf957d3a822f41b378af71b3e9737

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      c4af7a296f98d9b98985aca576f1dddd

      SHA1

      e52312a975f025f90427ee542ed976d4a68549d2

      SHA256

      ed5c3a73a807ee4f51f8b1819f329c6df174623ae6d97592812e2ceab518e3f2

      SHA512

      1e13f94a470ecdc911fdb97396268d60a76dca0ef00f1e829cea77ee5dd3425dfac7ead56eece5f37e2e4cd3e87371bc9613f0b7fcfc21b8584f1f5509032c25

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      4733c055bf34ef9c8002644439eaed2c

      SHA1

      16b39cf513736037867d8b13b16f1f87edc764b6

      SHA256

      9ababb85ec122de5554b77a95707018ec3c4b8371a7acd1ad90da25eb88d068d

      SHA512

      cf99467c318f9f0cb366bd9806b4bb4eae948942ee52f602e1f62439bf1cb6e6490c5e5c68c6187dd378ba043b282382f7d3f63ae528eaef836ece6f7dcd0b51

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      fae2674f2bd33b0e64f961d350e732b1

      SHA1

      bcbe4a9e4c29f761e1c2d545206ca2140e23f536

      SHA256

      5c91af4f978baa097f7badd6e3a28d30358a1a74df7fc081710ef7b9e754f786

      SHA512

      3b2b17411a0bb60875559fb293f5c1e0d65d6c1bf967d8152d0c99e2ec96f9319c74899a807b5283686cdc8f7c8f86dc94a7020c7eba2fc05d0cd6bc7e728f6d

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      7819023e6cfa5ee56543594e1e1476ee

      SHA1

      f2fac6e7c3bc691d71e83762cdf3add4c6a157cd

      SHA256

      3da2b69da4636d197b19737025e2d8f928bab126fc1b3e286dad091990b1e99c

      SHA512

      65cd68957c644257061b2c41e215949b41f9b175bd440edcba4642f20fd1f0e41a38329606197517f70fe62bbecd64b7950e8a780f9369e6f92bc1dba0566bf6

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      2dcd4adcc9fbc35d35df1e8dca4cc9a5

      SHA1

      9f0fedf6710b1f8655af9ed07b6dabf4960329c1

      SHA256

      d60ddd1f1f516729d9736da352213bcb4983233874b93610c1d3da0939aeb135

      SHA512

      6a883c83e534e5b9939e6f9bad6f560cbf0b8fdaa453ebcb8707f9894902560986468fde1e19c8905f6265078a9eae7193fb0057182a79edeaf006a431d1f8d3

      Download Submit

    • memory/1096-58-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2020-0-0x0000000000FFA000-0x000000000108D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2020-5-0x0000000000F90000-0x000000000108D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/2020-4-0x0000000000F90000-0x000000000108D000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/2020-2-0x0000000000FFA000-0x000000000108D000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2020-1-0x0000000000F90000-0x000000000108D000-memory.dmp

      Filesize

      1012KB

      Download