Overview

overview

10

Static

static

3

JaffaCakes...ca.exe

windows7-x64

10

JaffaCakes...ca.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_9a0fef5bacd78141f5b157e61421b9ca

  • Size

    136KB

  • Sample

    250205-bgptzs1ph1

  • MD5

    9a0fef5bacd78141f5b157e61421b9ca

  • SHA1

    07333c948933d5db063caaa954dfb08ea9c1a481

  • SHA256

    3e07e45517bf9208d84828670ff629fd49886e88d8aad36f5398d50a9145339d

  • SHA512

    56d10642a3083701f25cd053351d793bb80ecbe8cdfd90260dcbf88ad6e051e680122fa8c31ffd0a6d9cc9a89f292f6f3de725bee1601a5d88ea277a1e26cf19

  • SSDEEP

    3072:8FgnUStM0BFn+N8FcUDbIzu9wrBzm5YaxE3vm40cjENDe:8FAs0H68KMIqOlzEYlO40cjb

Score
10/10
expirobackdoordiscoverypersistence

Malware Config

Targets

    • Target

      JaffaCakes118_9a0fef5bacd78141f5b157e61421b9ca

    • Size

      136KB

    • MD5

      9a0fef5bacd78141f5b157e61421b9ca

    • SHA1

      07333c948933d5db063caaa954dfb08ea9c1a481

    • SHA256

      3e07e45517bf9208d84828670ff629fd49886e88d8aad36f5398d50a9145339d

    • SHA512

      56d10642a3083701f25cd053351d793bb80ecbe8cdfd90260dcbf88ad6e051e680122fa8c31ffd0a6d9cc9a89f292f6f3de725bee1601a5d88ea277a1e26cf19

    • SSDEEP

      3072:8FgnUStM0BFn+N8FcUDbIzu9wrBzm5YaxE3vm40cjENDe:8FAs0H68KMIqOlzEYlO40cjb

    Score
    10/10
    expirobackdoordiscoverypersistence

    • Expiro family

      expiro

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

      backdoorexpiro

    • Expiro payload

      backdoor

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks