General
-
Target
JaffaCakes118_ae2a6ff3181f19d491db712c80200ad7
-
Size
124KB
-
Sample
250206-w2tc5avkcq
-
MD5
ae2a6ff3181f19d491db712c80200ad7
-
SHA1
7f462f4c9175bdd2f2eb69f774ba918d1833befc
-
SHA256
45adb3afd017026adc61e4b72f24c3978d875c96798d7a771d6c203f7bd1db53
-
SHA512
f45689df4f5c1c757f050b83e920831522e5ed2858e2e4e785642cf56c54f418171d35e5d7feb0b966f0955c7b97ecbca74d30afdbe4b92f5de4ab08e04c00f0
-
SSDEEP
768:RE30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2Zv:u+PeXonnUStQXDI4spvVp+N8NECtH3
Malware Config
Targets
-
-
Target
JaffaCakes118_ae2a6ff3181f19d491db712c80200ad7
-
Size
124KB
-
MD5
ae2a6ff3181f19d491db712c80200ad7
-
SHA1
7f462f4c9175bdd2f2eb69f774ba918d1833befc
-
SHA256
45adb3afd017026adc61e4b72f24c3978d875c96798d7a771d6c203f7bd1db53
-
SHA512
f45689df4f5c1c757f050b83e920831522e5ed2858e2e4e785642cf56c54f418171d35e5d7feb0b966f0955c7b97ecbca74d30afdbe4b92f5de4ab08e04c00f0
-
SSDEEP
768:RE30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2Zv:u+PeXonnUStQXDI4spvVp+N8NECtH3
Score10/10-
Expiro family
-
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
-
Expiro payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1