expiro | 40c7a2750beb5e3d1a6902909b9eca2182a3a177693fc9df0895914357f37ed5

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
Size

386KB
MD5

b301edcdd3eb036386a7a50de1955e9d
SHA1

02ae88eb979136d854f3c8302a67425a6a67948a
SHA256

40c7a2750beb5e3d1a6902909b9eca2182a3a177693fc9df0895914357f37ed5
SHA512

84402a5e424943cf61f99b0fcf6c587b8e67b737a8bcc834095a65d160cc5cef6f857484008d8e13c2de56bed2f041483ed2df01ffc65a81869dff1cfd7d3f22
SSDEEP

12288:YvuloS7zEAoHLiPcS7N0taa+aT2L8tlIsTT:y4oS7oAoHL8cS7OtaiTtIsTT

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2596-2-0x0000000001000000-0x00000000010AC000-memory.dmp	family_expiro1
behavioral1/memory/1540-32-0x0000000010000000-0x0000000010087000-memory.dmp	family_expiro1
behavioral1/memory/2724-69-0x0000000000400000-0x0000000000490000-memory.dmp	family_expiro1

Executes dropped EXE 2 IoCs

pid	Process
1540	mscorsvw.exe
2724	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\G:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\I:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\K:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\L:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\E:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\N:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\V:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\W:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\Y:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\Z:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\M:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\J:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\O:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\P:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\Q:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\R:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\T:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\U:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\H:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened (read-only)	\??\X:	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5445AE8A-7838-4C24-8B36-DA95C91C20F1}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5445AE8A-7838-4C24-8B36-DA95C91C20F1}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2596	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2596	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
2596	JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b301edcdd3eb036386a7a50de1955e9d.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
316KB

MD5
2ec1b243d4aadbc246d9158d8b0bedca

SHA1
fd6eb0bec228885dd90043f0056b3fbcca63518b

SHA256
c3ceecd23d2a97bfab943fc4c247265ffb07eaf6dd6ede8d1bbcb5e0fd23667c

SHA512
91be3d9e0156ff5e505a8a2d18b91ef0be24209a3b4d12cf940d0c26155bb4474fdb9bde5b7bef0f12a2bed6c3110e82f85e6e5ce84a2075f4606b1f94e77e5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
235KB

MD5
7c3ec859c111c059a8a4a214489e9117

SHA1
9bcc6035b61e3856a7760fd23a8324cfe5489781

SHA256
5c7700ee21fb4eeb0f6f1668819aa85c44bf975dfe9035868905302070849e25

SHA512
06a339a8412c7f0a4668055abb63e74b4606d95c250547552aadf3879171d9ec602e9dc39c96ac5af4948a64fd4ded74f4a97679ddede1634af67342de388741

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
660c8b8e8084ee4dc5dd10095ea94fd1

SHA1
052f64ab6f8087037354d113d973c1a42c935ba7

SHA256
1244f8f5d973e3c85ed82dd11cc6460c4deaab37af4fe1e8b36db59e9c2408a4

SHA512
4f85d939bfcc7f3641cb058dfbd557c89b1046ddeab335400b4273160a3396a319ce55b77718412f8b66a8da2e63e474b43a4808f4203d4efe65fd04221ef4f9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
266KB

MD5
f2f3b48a8e2931afeca7c2a6166be621

SHA1
db252d23df59e5cc0e568b2ee17611030cb6e9eb

SHA256
91ddaa6561ce33dde4b3faebfc0deb0bf930566791bc1f847d193841c8188a39

SHA512
ee1d8b5e990791089c18f18f2e55b04b1e498998316bec1a55dee6da12e75cb630af38553ee4eb77b60343ca1b6d83c8a47831a84983eb8149af013928d620e8

Download Submit
memory/1540-13-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/1540-14-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/1540-32-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2596-2-0x0000000001000000-0x00000000010AC000-memory.dmp

Filesize
688KB

Download
memory/2596-0-0x0000000001000000-0x00000000010AC000-memory.dmp

Filesize
688KB

Download
memory/2596-1-0x000000000101A000-0x000000000101B000-memory.dmp

Filesize
4KB

Download
memory/2724-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2724-27-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2724-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download