54c430d0f1afc9075139dd4307fe5f1493cec27b13fc478f62be48850b6fd998

General

Target

ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe
Size

764KB
MD5

ec8c596231bf8a0ac903a707410307aa
SHA1

51f4aeb28d00ab4215eda2d6f7fc7eb58b8d9c6f
SHA256

54c430d0f1afc9075139dd4307fe5f1493cec27b13fc478f62be48850b6fd998
SHA512

54442ad365f37d4e0c2ed0e2ff0007a4b22c6e5226d42e5e2b8e817b59d93850cccda3ad17bc83c4325ba9b33431cd5610081e7c0242072decc4073bc319c0c1
SSDEEP

12288:QwE6qS+KnjhoSeqkeGk1YUTx4evkiGlT5R+F8l+dE+Q+oSIOC1ZlQ2sJooS1v:QR6qSPrGkyUV4eMiGRKETzOCfl5t

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002323a-6.dat	acprotect
behavioral2/files/0x0007000000023241-25.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	Free Ride Games.exe

Loads dropped DLL 4 IoCs

pid	Process
1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe
2256	Free Ride Games.exe
2256	Free Ride Games.exe
2256	Free Ride Games.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002323a-6.dat	upx
behavioral2/memory/1484-9-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/files/0x0008000000023240-13.dat	upx
behavioral2/memory/2256-22-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/files/0x0007000000023241-25.dat	upx
behavioral2/memory/2256-31-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral2/memory/2256-84-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/2256-85-0x0000000010000000-0x000000001005A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDM?action=config&type=NO_TB&contentId=%d' p '143' c '636250'\""	Free Ride Games.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2256	Free Ride Games.exe
2256	Free Ride Games.exe
2256	Free Ride Games.exe
2256	Free Ride Games.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2256	1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe	84
PID 1484 wrote to memory of 2256	1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe	84
PID 1484 wrote to memory of 2256	1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe	84
PID 1484 wrote to memory of 4828	1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe	86
PID 1484 wrote to memory of 4828	1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe	86
PID 1484 wrote to memory of 4828	1484	ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec8c596231bf8a0ac903a707410307aa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
  "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDM?action=config&type=NO_TB&contentId=%d' p '143' c '636250' l 'Installer'"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll

Filesize
95KB

MD5
764dda95f9699fa1a0dd55c0996c3a5d

SHA1
8c233aa3b15de9fea89b9570f145d8f8f30cb55a

SHA256
45cde7d4536c60a2427e327da7c5c718e2bb37f3db5c8becf235b2e99fc8d438

SHA512
d71b61c0c16ced9361a32ba10631bf74beb0a1e315d11a15dd7bb8212357383c7d52f81e824805ccd275d927fe24132c40292b70a58b4381eed78e43c9959f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

Filesize
415KB

MD5
985ecfc62d809b0ffda5955a931a81a7

SHA1
3cb64c220bde364b6872644132a9a9e278d70b6d

SHA256
f6663f2373e99ba95713b0ecce316908930d265ec8987cf44525a7a62e4ccb7a

SHA512
10d0474376eb9ca0a9a3e358443083477b9a6d6b16e1578b02598096e09db83c6511d93d418461ee31dfdbf54b8ea8596b522fe8f363b335966f7065a775da0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

Filesize
130KB

MD5
12ea0ad60a6db3c12d2016482d5f2a4e

SHA1
76426dce2fd73788e43938d7bb24abb37b70dc39

SHA256
19ce17bd3026a3608a1cb50da936234b56832c45101ae422987e111c6e5edd3e

SHA512
182a2c8be36166cebcc9aaed37950d8eaaf1baf71eb36c6cdb2efbd136f4299eb8249d113605ad4ae495ff5f21d2464fc4a07a84c5bc47c581deca00c685d12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
262B

MD5
8629b924d9580fd03f6e8c45b0f941ea

SHA1
49935250f842cc58a75aabbb8cb1af22f8f48da3

SHA256
29bdccfb19adc228addcf950bd3cf6c2feb83df64f38a570bc7f64606ca09cec

SHA512
96a4836b6bf82b926f3b63fd4016c33853e88e34cdf87e07237ac77eb9ef5f08dff709a380e32cfa17dba9956595f6c62cd5049035ff8a97ff14563634f72aa1

Download Submit
memory/1484-9-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2256-22-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2256-27-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2256-31-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2256-84-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2256-85-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads