Overview

overview

10

Static

static

3

JaffaCakes...7c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_b7f370b70ab5371c554c8bca0783ba7c

  • Size

    60KB

  • Sample

    250414-qzzt8syjw8

  • MD5

    b7f370b70ab5371c554c8bca0783ba7c

  • SHA1

    94a031951b19b7e5a8459dec49da99877e33c744

  • SHA256

    596397cadce5ecdb769d02c7df256867b0e51becc34469df0cc70572f34716bf

  • SHA512

    1e3504c3b41aafeba0dcea470a8cb93ec3685813b953f0468828db94f6aabfa4fa967e0cb849fe7e5a855145e5af32fddc6d9921e3ee158de0096737ff74b935

  • SSDEEP

    768:FE30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:S+PeXonnUStQXDI4spvVp+N8NECtH3T

Score
10/10
expirobackdoordiscoverypersistence

Malware Config

Targets

    • Target

      JaffaCakes118_b7f370b70ab5371c554c8bca0783ba7c

    • Size

      60KB

    • MD5

      b7f370b70ab5371c554c8bca0783ba7c

    • SHA1

      94a031951b19b7e5a8459dec49da99877e33c744

    • SHA256

      596397cadce5ecdb769d02c7df256867b0e51becc34469df0cc70572f34716bf

    • SHA512

      1e3504c3b41aafeba0dcea470a8cb93ec3685813b953f0468828db94f6aabfa4fa967e0cb849fe7e5a855145e5af32fddc6d9921e3ee158de0096737ff74b935

    • SSDEEP

      768:FE30e/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:S+PeXonnUStQXDI4spvVp+N8NECtH3T

    Score
    10/10
    expirobackdoordiscoverypersistence

    • Expiro family

      expiro

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

      backdoorexpiro

    • Expiro payload

      backdoor

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v16

Tasks