Overview

overview

10

Static

static

3

JaffaCakes...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_d0fce1bdfa2ce50c34bdefaaddde99a6.exe

  • Size

    622KB

  • MD5

    d0fce1bdfa2ce50c34bdefaaddde99a6

  • SHA1

    2706984b9d962685430c3cf109fe013f70221873

  • SHA256

    1d937f5a9dc0653c669444397cf781de6dce294a408ef73eb9c35f8295d47a14

  • SHA512

    a19108e668dca821490c7ace94c7e04f1b24ac4799a177f879edf0253bece825a7eab19b9ff7230db44abe25c2bb1224c6b57d1d74f7120bb462929c6e894b57

  • SSDEEP

    12288:PbDVP4WA10Gp+Cd4jNOGiiVhNTrRjJx0L311B9mPDB7IiNvp:DRwWA10Gp+lii7NTNjglk9FN

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 5 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0fce1bdfa2ce50c34bdefaaddde99a6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0fce1bdfa2ce50c34bdefaaddde99a6.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4460
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:3628
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:820
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1096
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3240
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:696
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4904
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:1404
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      674c822c7265b44ac19b66b46f799bd6

      SHA1

      ee5c7eb3ed99a39e890e59c4be8190f64251b275

      SHA256

      512b3b3ec84f5bf3fd0188f553a40a426b9fdc288e81a0509648c7c6f1f43c48

      SHA512

      2d3827aebe2cb41a28d619a868eb277f791d3dd7700fc48e280f59ab1bc1bb4586a31f607059175f968a7a59431e0b0ccf023ee3673c29dca9b582053bcada79

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      c39d6fa51f92dfa9f3a29c26f4238f23

      SHA1

      8c9d110e571917590684b2af2902718e2fac7391

      SHA256

      0daef9fee9dc2082d6bf8c9ae71c9696cb0cf283cc030df027fb0ada84172493

      SHA512

      dbbc248279107c167d8f01baade97371853040a7f202e927a0ca91ac1ecda0bb2e4cd18e402661f58b55a3583674981cf6044b3532911d189f35bcb778aad67a

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      e9dfe26918eaed504955cc65e0559c60

      SHA1

      bee9d7f3d418e708b28a7788976384404636d0e3

      SHA256

      5eb5019c9a3bac10215b489045a587ba440828f38e101af3bc1fb88833fb8003

      SHA512

      af20c78dd79f4508083fbffb4cf824bafef2b78545f7c32963a2c34a7ee270215b27e161733c47f63da9bc79d030c326503334f39a1788d55c581f0b336fb056

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      d97523d169eb64e09fbcd03b612208d0

      SHA1

      f8bbfcecf61455704f95f74632a86f252fb74ee0

      SHA256

      4a02b15425f07cdfb2a58bf729f898fec4589ee86421c31e86bde59a811840ea

      SHA512

      c2fcf957cf11d43fb79ba0ebd95ff7f95470dda2f344016aa4455ca139e6e6f40e4a4108e140f6f8e4dd3220ce671431597e858c8b09a0613e8d79f36882ff59

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      44ace5bce4d5adfe06216c301a3cc3e3

      SHA1

      b077fdefd313350d46aed9c56b18320b23f7554e

      SHA256

      43750a6c14382726b3a53a41a10393522e8b242a32fe4941529eefb9c92d5fd9

      SHA512

      00d3f68c16f855953706d16951590299d7ee552953004358523f7c903f5dcdedf8ef84356ea41f6ceafed586032a31fc0f678deb744f1951dfbddc77dafd4318

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      b1d224893df5bfa83d3a3d2c36c366f7

      SHA1

      de283483914a3b896b4aae114624050697513834

      SHA256

      7615c01e403cc5eb5fcc6efa0a0af57a2fc859cc2231a211694d39a500fb7f4b

      SHA512

      03855f4ff2224e19c0a7cfe86ab0127d816f31b7334af7d3a1fb314a758f8974f33bfde4a7bd7539bb7ccd4e06977ec76faea35264fe844eb0ea2ae556379e04

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      31dab587bda0831635bf9d43bafb8264

      SHA1

      79ffa76d30b3949c2af7e7d8fb054ce348422b79

      SHA256

      ef48126a50794dd30feda260d0eaf77b75f4632bb6fac7fd1e04d4d952baa3ca

      SHA512

      b2b70c514d71effb5472b60f88237da4c37495190559deec08719def8fce5c4f0683de470bc7af3282dbdd6afdeaa9c87855c9af79303954d78d47dd789f49ad

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      738KB

      MD5

      37f089794291de85da3efe6c7bc59aa6

      SHA1

      14ad1e42e85b5fdef862d47c421b8c4428d63661

      SHA256

      aef49214fa5a914b25b3044db81e30bfded16bf47c2d9b5430132af53302bd2e

      SHA512

      2fdda373230a3531d8f0e0820008d675b210245d1c07e724648be3c2ad92e1ca7a391e8b6c279259bb3bcf933af3b5f43589dc68fcddac7a2fdb84a7df667be2

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      e706269aa374daf3a3e5416060798a31

      SHA1

      6e392c40d034dfc7782c08228b08121acb8de112

      SHA256

      9f525fc668cd5e5f264210252a4aaeaf0ae3f03cd1d887d76d7d7c703f44c11b

      SHA512

      afa91ccafeffb1aaad5b758c67df1908ee59e0f88c523ef482af511589830c4d898dd9a1e0393e0d08191a631725c2f7772df1ade4ef1a70f4429b7bc080df00

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      4e30397830fe694a21f1e75ca30e5d8b

      SHA1

      3f0edbcc4fe7ebd176dcd68ec2a0fba3085ecf12

      SHA256

      a820f090b1f26438c2f902e886e56367403eded21a339ef037c40201239893b7

      SHA512

      426f53f98aea711645262c31d4837807dc9e3125401b329d6ca24e160a0f8221194ee2c13a662b0a26f9fd5dff7f41762571aa1eada54094d80362f86c1e4451

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\gohbekfa.tmp
      Filesize

      637KB

      MD5

      df5f61ac09fca55fbfbbc0bbaaec50b7

      SHA1

      5229ab2211ca90939c45a746b0719dec90791596

      SHA256

      0ca1d48de084144c7a021da88b5afcfb46d5af49091f4b7af90536385c04de3b

      SHA512

      1a4a798720837b803f44b0cbaf47da8725007fa8d63c603855dafb116de397f63e730843c528ff12bbb141d32ee0e9576775ca9bbe4281732068dc3332221911

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      e277679c206c30ea39bf85c48494e5ab

      SHA1

      0ca6f4edffcc3d656004dab13ad88295d38e109d

      SHA256

      9c27126ffa219ca7cb28ca995da898623e9d98a08ff94ae4f1bb6899d3024e57

      SHA512

      557dda506ecd3c33b40eb3f327973edd6d38aa157db92c51b8a7e5b5212f8cb48d70c6628a714d5d2128794c7a0f21fef1ac5de82a2f3727170fd431d23d4d72

      Download Submit

    • C:\Users\Admin\AppData\Local\fijdoqnb\biicffna.tmp
      Filesize

      625KB

      MD5

      d5be5168f9e7022f9b59f494787267c6

      SHA1

      3c7d449aad69b6a01518a587c183cf4f5213886f

      SHA256

      a1f39cffcb9cd5ad78c923bf14039b45e30f0aaa7a52a8b8b7d11b1f6169853d

      SHA512

      e16d6a7913561c169babf4e58b9f4cedd75c47341bbe2deb6bb4bbc17b5eff2f38d268e21dc0a808edab9d77de8446c29ca36e079459df68e1011de8deacbc11

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      818KB

      MD5

      5684dd8c2f2cf8fec094b81f7103036b

      SHA1

      09939b7a146c90175558595c9a31a6a3fe98c6af

      SHA256

      276a22bc43c3aa0a93d163cbe5869785c14c6b6cee3dbc69b98407834ccb0dfc

      SHA512

      ff89aa16ab4520e7bcfe52383a3e824a88eba587234de41d66442f3e98667cfe4acd62b2423f054c2d6db6dc8af138395918423bc8d82dc8a3733d1323128444

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      487KB

      MD5

      4a4a8b27fcd5b425e88650e12bc8301d

      SHA1

      3ce4f264ddbb897aaebe60c14cbd9bf1d9a48355

      SHA256

      8a163fbd1740de7f5a9285d43dd67e78f26b16b6fe8d7d446f8fe009027bd18b

      SHA512

      1f7b8f1e70ae931aad17c6a651c63f067a717f5d0fd7d6cf52c8890bcf3a75c56b85b5cfb06907fb384943aa1b3a1c026f537cb1c4b55565a0ce5a49fa3d00dd

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      c852798fe07dbbf3bd6381d9d6d27658

      SHA1

      71bb97519ba922bf8749695a47e2158a846bbd20

      SHA256

      04682da91cd2beb6147c0d8158afdd5b42d702c0eb006fdb7c6fe7fc05c058da

      SHA512

      c90b4424ddf71ee892375e3c0b8363d6ee725edca2946359265654bdc87db0a070bbae3e64c826cad6b279b131258e3c8a61b13e0d628edbba28245be329ec98

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      489KB

      MD5

      d634bf1133451c977c6dc12fc17bb44a

      SHA1

      63af48b112c57ec990e167772eb83e4106e20736

      SHA256

      e20da1c964b0d4e94c9d86214cb5f8da55c99cc74ec977f0a5fa187ef9612020

      SHA512

      4a35deedd101f92e39a44ef4fbc94f0a0de3d34fa8d8c74ddb7eef92453b3bedf24bc2a2617f69555649d5d4bccebeed84bd751ee4f4c0b09b8896694cd41c75

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      540KB

      MD5

      7c56f6c01ca9e7862b49ce05de9db5f9

      SHA1

      10849009b2731f9ebf198c945f53ca431943521d

      SHA256

      2fe723440527f4e6109cd441e2f907982f7a2303e12367721824aba745b13de0

      SHA512

      867d5e25ad9335c39d3f09dac01b9ac1c962d99f02de1401d0d79c981afc295167087b75242547b368316d135ba4aaad7248f7cf5e3c83b2d8e8268150538779

      Download Submit

    • C:\Windows\System32\msiexec.exe
      Filesize

      463KB

      MD5

      b9a3ede3e96468122cec6ebc8440bc18

      SHA1

      1fc66665d00eec282ee3ea14ca9e72aaa8b5352a

      SHA256

      c7dc2a48949c4a434dc39e4bc4883de73e0e1a02191ad2a94f033da67aff5bf1

      SHA512

      67994b1593e5c31002a07ecbd4afd65592e8db19f77ccf9801d989b19886808628ad78b39e1525eefaa85a9fa7e97224442d54177086b380f61e885319f4faf5

      Download Submit

    • \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      97cd90ab932e3360b24370e59df9ee56

      SHA1

      e4f05dffcacb8566077045fcbb3b4020a4b452e1

      SHA256

      183ec576951afecb4ab5fcb76e0d271b0d401bd6a69773a3451b501e868ae5af

      SHA512

      71305d7a4eb4d49c570d1f9325994bc63f1c6dd890c0b7e8a61bd813639cc3aad9e4cc48843e192067109720c2a2c75ad5ca57c9deba0930bc6e860c8737c5bc

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      17787a2664e20688486076ff8f20ff44

      SHA1

      d899fe4ce668b75564d729fd80723662933c4db3

      SHA256

      49c85c875df6921c26dc83a20e182c8c50485c21a421f861b236bb8316e9772b

      SHA512

      7a67c4d6614154ae3aa96f7e2cea8646da86d11c89ba71b86043cf2850a791fe12e15098dafdb67363ba2c8183418abb321663fc31f105c9b9f018efa35533af

      Download Submit

    • memory/820-40-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/820-81-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3628-64-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3628-23-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3628-63-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3968-49-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3968-47-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4460-56-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4460-48-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4460-0-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4460-3-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4460-1-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

      Download