expiro | 90d97bb483b57c5cf0a347691e76219aea2d50ddded493df84095e5c95591fb0

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-02-2025 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
Size

464KB
MD5

04bd7e983c4737f0c1e842d32f908af0
SHA1

d8b4782be8b1c54e0582420476af25e5e75b6696
SHA256

90d97bb483b57c5cf0a347691e76219aea2d50ddded493df84095e5c95591fb0
SHA512

1915cde72e400079c73091eef6178fb608ce57b0902aaabac363e8bf9ebb8e7a4d8d37928b09df720001dbc379031e9414196aba29162ed982fd43b459329ed1
SSDEEP

6144:gYF+ylFdeXGtYrklpMZVWvi3QT3MEQ+ttubNHBv5voeFCP3T8z63MPfsRavupY0k:LhlKU50ZVugQjv7ttu9gFc3sRav0k

Score

10^/10

expiro backdoor credential_access defense_evasion discovery spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 6 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000400000-0x0000000000594000-memory.dmp	family_expiro1
behavioral1/memory/2404-2-0x0000000000400000-0x0000000000594000-memory.dmp	family_expiro1
behavioral1/memory/2404-3-0x0000000000400000-0x0000000000594000-memory.dmp	family_expiro1
behavioral1/memory/2676-4-0x0000000000400000-0x0000000000594000-memory.dmp	family_expiro1
behavioral1/memory/2312-30-0x0000000010000000-0x0000000010161000-memory.dmp	family_expiro1
behavioral1/memory/2304-72-0x000000002E000000-0x000000002E177000-memory.dmp	family_expiro1

Executes dropped EXE 3 IoCs

pid	Process
2312	mscorsvw.exe
2744	mscorsvw.exe
2304	OSE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\K:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\W:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\R:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\V:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\G:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\L:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\N:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\O:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\S:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\H:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\M:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\Y:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\Z:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\I:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\T:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\U:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\E:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\J:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\P:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened (read-only)	\??\Q:	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\dllhost.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8E095F17-84FD-4766-B530-D374A86D2786}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8E095F17-84FD-4766-B530-D374A86D2786}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaffacakes118_04bd7e983c4737f0c1e842d32f908af0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE
2304	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2676	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeSecurityPrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2304	OSE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2404	2676	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe	30
PID 2676 wrote to memory of 2404	2676	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe	30
PID 2676 wrote to memory of 2404	2676	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe	30
PID 2676 wrote to memory of 2404	2676	JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04bd7e983c4737f0c1e842d32f908af0.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- \??\c:\users\admin\appdata\local\temp\jaffacakes118_04bd7e983c4737f0c1e842d32f908af0.exe
  "c:\users\admin\appdata\local\temp\jaffacakes118_04bd7e983c4737f0c1e842d32f908af0.exe"war3.exe" -classic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
336KB

MD5
7b20219cb99a6690b228af9f23567313

SHA1
edbadfbfee8f68a75eff2d2a8a5119ef9f83a54f

SHA256
a4dceb4d2f19a87d3623f16d6437e4a1f539a17c56894b3562a55c59d8a1cd76

SHA512
c6db8cf11add78bd1f65a7d609f29875cc3c8c2bdc928a5598e24f32cbf1f5ba950e55d1cdee72efe791ae78611f9feb1cc188f4c0c392550afb7923df915f23

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
4bfd6f6d9710c8ecb950a0dd4b910073

SHA1
61572fc28fad621c6eb471b669437628c180b14d

SHA256
d639933800fd06d55803eeed236d42cc22fb1ad76dbc0f11a0e9b2db466a3608

SHA512
21bedca862a32a9572a34a1e2002920bbb0b7eddabc0d61f080a49b858fd1d1f7821e378e6c472655b690184c1df360d0fcc41af334591ec39ba3470b9ffb006

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
336KB

MD5
a0230147ad083354bdd542c5fb63fcf1

SHA1
0b9209c01aac04a044465a2ed91865d5b3d3da7c

SHA256
b7fa83d881b156a1b122b41bef24de811223ea4d49d92588abe6dc98b8c9f963

SHA512
17b981cb3ce75f621fef528c47adc8cf45b836ee160216ffb194094a2e0ce9c1eca42384e7fc8392a3640887b4d3f174b410df4023e925b67547f5aeda6ebf7d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
255KB

MD5
91bd7024e60ed253ba88606f6e9f3ffd

SHA1
f9f38aa44b4b57c6ca2869b448d9e35bc3d917f2

SHA256
691df3866bcf94aa9577f26b3021453269ca1a5487003bbf1014bbd37ea111fb

SHA512
46af8a3124450f80fe6756390902c24e7f08379ff752c12f4ecd19aada701cc2f47c974df22419f8abdd1afdd998f55e16a024bfedc0704ea77b9428af8ca932

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
112a36dfdd36d614852341088e8512b3

SHA1
62d29e03835a33a6f685f56f334f39fa743673ec

SHA256
d5f5f3fede7b2cabb92fc422f441a2ac78bcc6d8d3e55741832b75b46617b1d8

SHA512
f545a28312a6544eb6a9bec64ee23b733fdce5541b9ba5994cb40962a70bfe1e378a1ed7f6a559feac23f5687a049b570e58ad651bf451cef2ef3c2d43d9f09c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
286KB

MD5
a5010b9ea4077c188538b2d4523a707f

SHA1
da0b3b52c40a07888b7431909b5fc4676fa6bda1

SHA256
a077228c03cf12697bb7fe45293d01b4207b4c82a78dec8ead3a4b70e2340c05

SHA512
623e1d4e8931adbfa9fa98bbcd3a7dee2d2a420a613edf722731392d37454736f7b529d749d5cda75a05717618c14dad83434c895d3dc922e694682133f6092e

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
c8be72782533a634fdedcd63165f55d7

SHA1
f217f73570e5343e7bb913be5028f309aa8a9d13

SHA256
a477e0d95e6ba11d2c4b3e4b94c0069a7730d66f08d1b3daea5231191faba8d7

SHA512
6ab6ea49542ad240f07f0df26b4bbfa75cd44f2872131d86a24070fd7b79728c5be19bf05a644c915bcc2454aba93090e01bfc81498757ea748e5a348b3e0f0b

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
614KB

MD5
9ae268630413f420fd3657a576b48fe7

SHA1
6e25cbf68a93f66c104b15b4b75532889448830c

SHA256
4d6bfe28dc9ee4cfda3f89fa596b3107be53ba3943becae4161877828a5b8afe

SHA512
deee1a60e7b9a9a46dcb119ee0a8466e7f8c1c298ec23aec547ffcc2eded1a0db1a73a64ebe72d0d36fdbf3f98bb9d6279dfbe2d25345d9be36a594c007ab3a6

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
216KB

MD5
1b595d03003be2600551a5344298f9bb

SHA1
e734904a83ba44426d2645dc3dc79e062a5e77df

SHA256
c22d45db604dc92f7db0a5707a00478081124501a4d3c0c918478532bf897c87

SHA512
6e5eb1e3bdb0989e81111055ab2217e8e7a91c95f26f0227e529e7a60935e74a904c3f81a5d2fd0244f830998cabdf989c1514f6b3394c979b8632bbafa57d4b

Download Submit
memory/2304-48-0x000000002E000000-0x000000002E177000-memory.dmp

Filesize
1.5MB

Download
memory/2304-72-0x000000002E000000-0x000000002E177000-memory.dmp

Filesize
1.5MB

Download
memory/2312-16-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2312-17-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2312-30-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2404-2-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2404-3-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2676-5-0x00000000026A0000-0x0000000002834000-memory.dmp

Filesize
1.6MB

Download
memory/2676-0-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2676-4-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2676-1-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2744-29-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download