expiro | 28aad1239f02b00a79a7ae67feca4f9b41d8ab40710855b2142d03c81500b422 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...24.exe

windows7-x64

JaffaCakes...24.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_cb69584111a561a5896145438b009024
Size

88KB
Sample

250119-ssjksatpfn
MD5

cb69584111a561a5896145438b009024
SHA1

5a05dbfeb616acbe102d3ad1f9ff5387e2c50bdb
SHA256

28aad1239f02b00a79a7ae67feca4f9b41d8ab40710855b2142d03c81500b422
SHA512

9e5b060dfa66ad7743b3e7602b2d45255284b47cd2a2809889312de6d92c74ca771346fa815f4b95d917dcec4fff89f593861f34f04e260003b714b112a3a056
SSDEEP

1536:XXPeXonnUStQXDI4spvVp+N8NECtH3/ItaRmtmhDA2B/w:XAgnUStM0BFn+N8FP2acIhDp

Score

10^/10

expiro backdoor discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_cb69584111a561a5896145438b009024.exe

Resource

win7-20240903-en

expiro backdoor discovery persistence

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_cb69584111a561a5896145438b009024.exe

Resource

win10v2004-20241007-en

expiro backdoor discovery persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_cb69584111a561a5896145438b009024
- Size
  
  88KB
- MD5
  
  cb69584111a561a5896145438b009024
- SHA1
  
  5a05dbfeb616acbe102d3ad1f9ff5387e2c50bdb
- SHA256
  
  28aad1239f02b00a79a7ae67feca4f9b41d8ab40710855b2142d03c81500b422
- SHA512
  
  9e5b060dfa66ad7743b3e7602b2d45255284b47cd2a2809889312de6d92c74ca771346fa815f4b95d917dcec4fff89f593861f34f04e260003b714b112a3a056
- SSDEEP
  
  1536:XXPeXonnUStQXDI4spvVp+N8NECtH3/ItaRmtmhDA2B/w:XAgnUStM0BFn+N8FP2acIhDp
Score

10^/10

expiro backdoor discovery persistence
- Expiro family
  expiro
- Expiro, m0yv
  Expiro aka m0yv is a multi-functional backdoor written in C++.
  backdoor expiro
- Expiro payload
  backdoor
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

expirobackdoordiscoverypersistence

behavioral2

expirobackdoordiscoverypersistence

© 2018-2025

Terms | Privacy