Overview

overview

10

Static

static

3

JaffaCakes...c1.exe

windows7-x64

10

JaffaCakes...c1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_1aead11bef75d68d66f2d133e7ac65c1

  • Size

    96KB

  • Sample

    250123-zehvnatnhq

  • MD5

    1aead11bef75d68d66f2d133e7ac65c1

  • SHA1

    b8764d0d71980f10aa49c2b2431a5ad08d457ece

  • SHA256

    57f6aba00d0b3c2aece91d894f6f5031a1c8f63aa08eef5f26a4d8bda801c916

  • SHA512

    fea8718b8c7610de4a24b7449386f57fb4d5f6205262744651e68b85863b5cc4f562575d143677c3fcd94d3c36e5fe34535340d9adb840dc1fd16b9168604f94

  • SSDEEP

    768:LXzlX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVp:LD02PX2uCUtT9DlkBRDPsBcs0WpgX6

Score
10/10
expirobackdoordiscoverypersistence

Malware Config

Targets

    • Target

      JaffaCakes118_1aead11bef75d68d66f2d133e7ac65c1

    • Size

      96KB

    • MD5

      1aead11bef75d68d66f2d133e7ac65c1

    • SHA1

      b8764d0d71980f10aa49c2b2431a5ad08d457ece

    • SHA256

      57f6aba00d0b3c2aece91d894f6f5031a1c8f63aa08eef5f26a4d8bda801c916

    • SHA512

      fea8718b8c7610de4a24b7449386f57fb4d5f6205262744651e68b85863b5cc4f562575d143677c3fcd94d3c36e5fe34535340d9adb840dc1fd16b9168604f94

    • SSDEEP

      768:LXzlX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVp:LD02PX2uCUtT9DlkBRDPsBcs0WpgX6

    Score
    10/10
    expirobackdoordiscoverypersistence

    • Expiro family

      expiro

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

      backdoorexpiro

    • Expiro payload

      backdoor

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks