expiro | 1f43c29156139e476a8a304e08987ee5baa2faa3d46b3d9db298bed63856f09a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
Size

406KB
MD5

d7e82e3ff9f8f2401817e98773430628
SHA1

b2aba0c89807dd71e2e68dd0ff148743d40c02b9
SHA256

1f43c29156139e476a8a304e08987ee5baa2faa3d46b3d9db298bed63856f09a
SHA512

2becfb5e61819348a58821317b5893d5334b721aa09adcb7624d0df53c18c78aca1a976ea632b00116746e40174e1dcec0f57cbd59a1afc940bd39f9ab7ca49a
SSDEEP

6144:yIzfx0tsmxGjd9suGjiIDhAJSbnVrw8/LppZ2oqIqOEhspJ:NfqOwGTlWJN0Qrw62obqap

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral2/memory/1948-0-0x0000000000D9A000-0x0000000000E2D000-memory.dmp	family_expiro1
behavioral2/memory/1948-1-0x0000000000D30000-0x0000000000E2D000-memory.dmp	family_expiro1
behavioral2/memory/1948-2-0x0000000000D9A000-0x0000000000E2D000-memory.dmp	family_expiro1
behavioral2/memory/1948-4-0x0000000000D30000-0x0000000000E2D000-memory.dmp	family_expiro1
behavioral2/memory/1948-5-0x0000000000D30000-0x0000000000E2D000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
3384	alg.exe
1676	DiagnosticsHub.StandardCollector.Service.exe
3380	fxssvc.exe
964	elevation_service.exe
3988	elevation_service.exe
4472	maintenanceservice.exe
1524	msdtc.exe
4904	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\T:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\Y:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\X:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\V:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\Q:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\W:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\M:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\S:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\Z:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\K:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\O:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\U:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\N:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened (read-only)	\??\R:	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File created	\??\c:\windows\system32\biailcmi.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\djogoqpe.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\openssh\ldbefdko.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\bqjaaklk.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\cbdebilk.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\cnfnnlok.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\diagsvcs\dekgblki.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\gqcpicqh.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\odihbjbl.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\SysWOW64\olpohhgk.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\locpcmlm.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\kjmkgoaj.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\SysWOW64\injlfbge.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\pfofpjje.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\windows\system32\opgokejj.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\aejgacim.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\nobbopil.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe
3384	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1948	JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
Token: SeAuditPrivilege	3380	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3384	alg.exe
Token: SeSecurityPrivilege	4904	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3360	OpenWith.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d7e82e3ff9f8f2401817e98773430628.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:832

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
e60e51dbd6d687782d1664eca696b379

SHA1
c0e02e5851b0f5fb881e26f1a5c4a96f88c8ce10

SHA256
0aa73d36774890eca54c18b00ee2ba68c7d9a2cd1a2d57ea0e68fbe1a8a1d0ce

SHA512
51ddbb5472825def59081b89fecda82f8313d3a73717fa7a7034ec353c0db77fd84ca1d0ee3fc5e14b7878db69760d60ed7662fde2b9cc520fbcf987c393339c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
6fcbcd32a9d34f29e7c2ac84ed1de00a

SHA1
ca164fa64a8c712e3f5e2bb266cd4aaaa44f1577

SHA256
dd699af355b28827e1695947632971863fcea2c9db27580de90b8b2a5af72fd8

SHA512
5608b8789ef0c0695fa873e8ad336b3bc62e9ab6fff765b024a5b21f662d6ac2425f091ecc938ce9146852a966e6f72182c3c553d8bf3a5a1671e996af0e545f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
d68567c5454bf7f411d3f986d924ac00

SHA1
c661c88dfe14477d8db24821e496a00f14ba56ec

SHA256
014253ea5884c461d2cf3ff8bc225497af5e8bf22be7960fc749f4e002dfc521

SHA512
f2a15a734d1acafc7dcaf62de6663366f0ca25c4b5171f083f9162b569ed93ac2f1f072960134fcc62e797efa0d98fafcc12e020b243e026759f5867b870aaeb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
d1ff5b6a56c0fec1eafd3ff8cd413730

SHA1
18b781e87557c53d1086c6c915d19bdbdc5f5f5d

SHA256
bc112430f6c9e1d7ec8628997227e1c9a2f49e80b15fd51ac349f3c70cd43d17

SHA512
db23da5801aa67eb069ba13bca2dcc8c03e7e15e6501e638d916142cae7eefc163b1ffad53c6c1c4a4dfb30481a0bf71265cbd290e372f2c4b99419d19424693

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
4781934f654f242eda255a1680f45f58

SHA1
3b53e6a818e48b869f26fcac045f1d7a0a462ffe

SHA256
3a267f84446ef8cc9619602f9125ff5a584770a81ec6463f7a0ac4ca07d26415

SHA512
6f25703a99ad68a6d0a66c4bb30b82312514e01b630839845cd6841053fcd197bab4bf59b63c891c3e778ebae8f618f0da17a22977e32eb02d650682c00d9303

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
8ac53f45bb38ceb059611f7fdbcb29bf

SHA1
9398b285c01e99aa4b6e8f8b83b5f09eafae900f

SHA256
76bac6a1e1de34b5b48cc6364f94ed7c34dc295b4a198374c511b24e8ccb79bc

SHA512
9cc3cfef318ab0b1d53817deca02324ff3693b82be6e4211b9e363675af4d6fcbdee890070ad65dba0a77cd8154142f09530f70b2dbf7e9ed7ca74ca6ce4bf1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
07ada14e99a1996e82de9d2edf263335

SHA1
d3cd196dbfd89fd9b2c8214637401031e1304ab4

SHA256
e1a1bf4612491ce02aaf2c3c62d7958fe35968faf27ee81b59a76796e4d460b2

SHA512
563e5229f0a02ceaa1ce27c66111655afd643c8bf9501ffba996e78e5f2ba4d2c5942e5bcc5b7b4b78b14c86ddb4eb044e75ffec862f75e89a5fc0bf31b31b2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
f6ef5602378d1a8bab9fd7202a22fc46

SHA1
e5775af6daa1ac741547420d461ef99ce2cb86e2

SHA256
179bc84a923d65cfdf4fa85a52bfb4ba0be9e909aedc56fa10fb923b883f55a5

SHA512
1aa8c9c3d686611cea295bd60e42cbabe1ab1da001dce7d0cff44163bba23f5e93c9156c122703b72f4bdf9bc69fcd02a0db1f6c4be2db04087aaa7774330a92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
5566e2d4fbd8ab56b233f5079c4c58fc

SHA1
e6af9a6213e915d03efd3770000bb4e000d26be5

SHA256
e684e93b94a73cbf4085cc732326dfabee9c8b64f9cde997c717fad101584e80

SHA512
c9eb85c24cb7fcf2ff1d86ad1224de67b07401b82bd4c75a622191d92f7df2658fe99afcd3e054a0e7041e4735b1aa6ab207e242fd99756ff0bbb2658c17fffc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
ede454ab307c614b67452aac79e687af

SHA1
ba762b184a763bd4b2047aa8dbde3440fc409f2b

SHA256
fb320f513815d5dd954c19dd24ed2366f124f65c7db5adbe7da61a91362621b1

SHA512
27dea1a97f6840714404aaa533e5f2323f05bf6afb06963bdac4c75f97ae12771116e7620dc1facd4bd6cb405ec5f241872c608d3b38fa03f7d3589f2481f866

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
ced5b09f03dad2c69011bd3b9a4aeb0d

SHA1
d45c05cb9a6422ea7ae0521e2ab6d59226ada77a

SHA256
411a8daa34bbab1134ea95feb10a12e285d074d25e67c3671304b1287e77e189

SHA512
19791a2bc8f7285ea296c3eb214cd0717e85e7e208ad531e651756db970119b57556862e5455919606c65467818b5bea9957d8c597803f3d6ef5f967e5e94f5e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\nobbopil.tmp

Filesize
637KB

MD5
f31389bcf266d033ecda3b268250215c

SHA1
924c5d02c82ecbec32110a2b9cbb30d1bbbc04a6

SHA256
598f7b460575fa5b935172e93abf0af54ed435d04eb2a32a0549fd259702ff89

SHA512
c6e24c97aa86331dce619b46623c8023585cbf652ce8e61d8cfce52a78b35e4540ac5b3af0740ffb86ebdb82b92a30bf6aac4ecca89d59d8927fa378fff9f3ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
6742ebf1fe411baeb836b77c3da20e12

SHA1
5b6a8d1bc42040f2f39497ef1e011093cd453906

SHA256
a44e770f73bcf475fd00402e11f3de267a736ba9453532376a5fbe826e56548c

SHA512
0edeb2798e7a984a0237a6f2a069900b1839e8cd2ac8a151a54174c2c76c6a12031ca34bb10e72518bb147c0b96ac1fa78f8c4d5db82297f2bd5afe2a825f6df

Download Submit
C:\Users\Admin\AppData\Local\rkqpkpkd\eodakdig.tmp

Filesize
625KB

MD5
433353c1ddf2debd1ae755daacf69641

SHA1
38c56a25c3e344fdd7fe07c6270a1ef4f17ef4e7

SHA256
a1dd7374fe1cd1fd8fdf21da61b78287d0327820c3ea5cc925ee3e6a29495b45

SHA512
87ad3cfdf7ecb24080c5b858ca6b2e3984f87ae120cea468bdb8a593ad60f110ccb8bca3d7fc425327c25efa0b300d3f7912ce47d8b7155a51cf21639dbfe643

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
41c85095c56616afd5ea5c90163ccdc4

SHA1
e96ad8c0a8349253b6b155a63edc5f8feab44c76

SHA256
e4e60f7744a83325225c1ba80ad859e95f9f983fa4440b678098879e5df7454b

SHA512
baf8683afb9c5e89f0c95e1a8be3fe18618ab679ce76c956daaf54e6f80d50ee2799c8b617b0d7e3dad1f94cfcb284a4f93d8cd73726c70b4c68dacc8a740847

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
db32f6ae1ffa32579e316caa9d573f1d

SHA1
c0a681d9a95c007afc0c71039f9f6c43ba5c3f5b

SHA256
fd1a8cd78a22ffcc77e2b360fef6b8c6f0301fd2703f49810d7cd104e3979a31

SHA512
97d38ac9d3edc242791b17032af321dd72ab64aec69c85c085648cc09a92001870745e89eb38bbf3333298a8b961c5905c37effa1dba6a0f55ff9677ee0b064a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
8cf236d0b925ab1eb92ff407f7f7409d

SHA1
6a1e29542004a10004995e4a943c68213d8381be

SHA256
a94983fd8ecab6da4189c233618054290a473e5708b166b109dfc20045999eb6

SHA512
0a943b3e4f5556271e5f82e227f38e22789b68ad6dd3c8329a1a0d4303b9135313f92104a621359ac42ab7c95dbdd729d9d9320118018992e347536f5cae7da8

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
1127dd6d0bd77f0ec48152af511f5762

SHA1
36caf8bae1fb8e1c6af71ce6bfb481f7f8f79a5a

SHA256
5f52edd785c5a455863922229f676b8161ca861cee093d190538a9ed89f75880

SHA512
d5be3811343a7ff5fe955bb3d177a87fb0a95b6f0038652641603036f8d3cecfef0dcf801918092d05d953a36eba834f696e1fc283aedbb55402e56578cdaf39

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
653a1e355b9aa0cdb2301ba7c6a60ca4

SHA1
1a77555ff4c6c2fba8f278b10b0a128ad65e3d82

SHA256
66998e3c8ca8b835c8112c42e08451faaa3df243eb3f88773523fffa4819c222

SHA512
9bca76aa51f8ca05f0fc1a918f645f1e4e947dfaa39e55e8745b1cf148587727f8289b7700d5078f05afd9e1dc84906e77e3dcebaa62cfb04243d5568bb797b4

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
7a8076eadca2f064db20f7c9dd7056e7

SHA1
ff4c399963c35591f1da03aa9e4c695962e6046f

SHA256
b6cd4ac473afd1834909cce9e5032e01491c1a5f08089842388c4e4c7e243bda

SHA512
629cf25c762a90aeb24812af2789d639b158988e64a286436108c12abce30f0210edd2524e4d7f73d930b2458d574537edc750983a3e96ef86150c9d8db38499

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
fa13f623d8a876e9cfb33389666da80b

SHA1
3c96911c765f65e4d0151495d1e839449089f911

SHA256
c464ddc3f46dec03cd9baaf947bcb98371a166835ef9e3be06464a49f26e747d

SHA512
473526159932b3429a01268e6b7507f5894e13e4d7b5d3298f828c45a2445f61910ce20a4195b41d02137633ddb23985e0f014c7b6f4893db73ed8519b2c84cd

Download Submit
memory/1948-0-0x0000000000D9A000-0x0000000000E2D000-memory.dmp

Filesize
588KB

Download
memory/1948-5-0x0000000000D30000-0x0000000000E2D000-memory.dmp

Filesize
1012KB

Download
memory/1948-4-0x0000000000D30000-0x0000000000E2D000-memory.dmp

Filesize
1012KB

Download
memory/1948-2-0x0000000000D9A000-0x0000000000E2D000-memory.dmp

Filesize
588KB

Download
memory/1948-1-0x0000000000D30000-0x0000000000E2D000-memory.dmp

Filesize
1012KB

Download
memory/3384-59-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download