expiro | 9c8f5e529aec8cbc4d2c1237a84d9ffd95b5bcb7cce8249ad13ba85aa2afc3cc | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...c3.exe

windows7-x64

JaffaCakes...c3.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_a66ee35d04b3f125d479a450d6a3adc3
Size

241KB
Sample

250118-lp88pszrfp
MD5

a66ee35d04b3f125d479a450d6a3adc3
SHA1

ceb743d8f8e901304899192c18b96f5a23098055
SHA256

9c8f5e529aec8cbc4d2c1237a84d9ffd95b5bcb7cce8249ad13ba85aa2afc3cc
SHA512

24543f5a0197c8d3baff0ac3e05770440633805df23a22304d2d43f6062e840c9d47b4784690ffc2c6bda9b125f091212385c34271e782352cb6eab28b28574e
SSDEEP

3072:L3S8Iy/aNagTeo6isinQ6ZmQGU0yS+y2Q18mn6FEG57rEi7ri:FRri1z0ySL2Q18A6Ft5ci3i

Score

10^/10

expiro backdoor discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_a66ee35d04b3f125d479a450d6a3adc3.exe

Resource

win7-20241010-en

expiro backdoor discovery persistence

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_a66ee35d04b3f125d479a450d6a3adc3.exe

Resource

win10v2004-20241007-en

expiro backdoor discovery persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_a66ee35d04b3f125d479a450d6a3adc3
- Size
  
  241KB
- MD5
  
  a66ee35d04b3f125d479a450d6a3adc3
- SHA1
  
  ceb743d8f8e901304899192c18b96f5a23098055
- SHA256
  
  9c8f5e529aec8cbc4d2c1237a84d9ffd95b5bcb7cce8249ad13ba85aa2afc3cc
- SHA512
  
  24543f5a0197c8d3baff0ac3e05770440633805df23a22304d2d43f6062e840c9d47b4784690ffc2c6bda9b125f091212385c34271e782352cb6eab28b28574e
- SSDEEP
  
  3072:L3S8Iy/aNagTeo6isinQ6ZmQGU0yS+y2Q18mn6FEG57rEi7ri:FRri1z0ySL2Q18A6Ft5ci3i
Score

10^/10

expiro backdoor discovery persistence
- Expiro family
  expiro
- Expiro, m0yv
  Expiro aka m0yv is a multi-functional backdoor written in C++.
  backdoor expiro
- Expiro payload
  backdoor
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

expirobackdoordiscoverypersistence

behavioral2

expirobackdoordiscoverypersistence

© 2018-2025

Terms | Privacy