General
-
Target
JaffaCakes118_20208e178fc9c734f1c83805d3f71b23
-
Size
60KB
-
Sample
250223-l1a52stkw6
-
MD5
20208e178fc9c734f1c83805d3f71b23
-
SHA1
7a9059de9a4eeec317b7b45df96647cc13d77bd3
-
SHA256
39ba6d4095e2d701904fd0bd2295c371724293b101d7fae886d6bc21dd5439a8
-
SHA512
25ffa27328bd4fd69b0be37c59401e92a5e2f2509774e81c847e0a9b77d34788479952a9803e9c83bf5e2ae94d94a4f65b784bafbf80429eaca40008397872e9
-
SSDEEP
768:zE30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:M+PeXonnUStQXDI4spvVp+N8NECtH3T
Malware Config
Targets
-
-
Target
JaffaCakes118_20208e178fc9c734f1c83805d3f71b23
-
Size
60KB
-
MD5
20208e178fc9c734f1c83805d3f71b23
-
SHA1
7a9059de9a4eeec317b7b45df96647cc13d77bd3
-
SHA256
39ba6d4095e2d701904fd0bd2295c371724293b101d7fae886d6bc21dd5439a8
-
SHA512
25ffa27328bd4fd69b0be37c59401e92a5e2f2509774e81c847e0a9b77d34788479952a9803e9c83bf5e2ae94d94a4f65b784bafbf80429eaca40008397872e9
-
SSDEEP
768:zE30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:M+PeXonnUStQXDI4spvVp+N8NECtH3T
Score10/10-
Expiro family
-
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
-
Expiro payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1