1c1c1ff3561ba6eb1db760de8dca6954d15482f66eae931ab2cf79964315e4db

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe
Size

1.2MB
MD5

1fcb27b99fc6fcb9b7f83ccc8904e79c
SHA1

aecdea1e6911c783298385a7727b61f0915a7803
SHA256

1c1c1ff3561ba6eb1db760de8dca6954d15482f66eae931ab2cf79964315e4db
SHA512

4169264fb75f0d2cef3cf87e4a707f49f43807a13a67519e835eda3b1b6d7f11212b0c28f745c526131ac276190643770c6eb3fc7f01b841caf80ed624842580
SSDEEP

24576:+KX2vzptbfKL1oX1Y5wrrRsrW7RdYxMn4iuKbQaqfQN+Qfsqf:3Gvz5Xa0Nsr4Qx64qfqqB0qf

Score

7^/10

bootkit persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000163eb-46.dat	acprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016013-40.dat	upx
behavioral1/memory/2784-43-0x0000000003770000-0x00000000038C3000-memory.dmp	upx
behavioral1/files/0x00060000000163eb-46.dat	upx
behavioral1/memory/2584-51-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral1/memory/2584-151-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-154-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-155-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-157-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-159-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-161-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-163-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-165-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-167-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-169-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-171-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-173-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-175-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-177-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2584-179-0x0000000000400000-0x0000000000553000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	Free Ride Games.exe
File opened (read-only)	\??\B:	Free Ride Games.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Free Ride Games.exe

Executes dropped EXE 13 IoCs

pid	Process
2584	Free Ride Games.exe
2344	cmhelper.exe
2876	cmhelper.exe
1592	cmhelper.exe
2500	cmhelper.exe
2520	cmhelper.exe
1972	cmhelper.exe
1044	cmhelper.exe
1252	cmhelper.exe
2224	cmhelper.exe
848	cmhelper.exe
2140	cmhelper.exe
1740	cmhelper.exe

Loads dropped DLL 18 IoCs

pid	Process
2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe
2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe
2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2876	cmhelper.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2520	cmhelper.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
1252	cmhelper.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2140	cmhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Free Ride Games.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Free Ride Games.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	Free Ride Games.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2584	Free Ride Games.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe
2584	Free Ride Games.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2584	2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe	28
PID 2784 wrote to memory of 2584	2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe	28
PID 2784 wrote to memory of 2584	2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe	28
PID 2784 wrote to memory of 2584	2784	1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2344	2584	Free Ride Games.exe	29
PID 2584 wrote to memory of 2344	2584	Free Ride Games.exe	29
PID 2584 wrote to memory of 2344	2584	Free Ride Games.exe	29
PID 2584 wrote to memory of 2344	2584	Free Ride Games.exe	29
PID 2876 wrote to memory of 1592	2876	cmhelper.exe	31
PID 2876 wrote to memory of 1592	2876	cmhelper.exe	31
PID 2876 wrote to memory of 1592	2876	cmhelper.exe	31
PID 2876 wrote to memory of 1592	2876	cmhelper.exe	31
PID 2584 wrote to memory of 2500	2584	Free Ride Games.exe	32
PID 2584 wrote to memory of 2500	2584	Free Ride Games.exe	32
PID 2584 wrote to memory of 2500	2584	Free Ride Games.exe	32
PID 2584 wrote to memory of 2500	2584	Free Ride Games.exe	32
PID 2520 wrote to memory of 1972	2520	cmhelper.exe	34
PID 2520 wrote to memory of 1972	2520	cmhelper.exe	34
PID 2520 wrote to memory of 1972	2520	cmhelper.exe	34
PID 2520 wrote to memory of 1972	2520	cmhelper.exe	34
PID 2584 wrote to memory of 1044	2584	Free Ride Games.exe	35
PID 2584 wrote to memory of 1044	2584	Free Ride Games.exe	35
PID 2584 wrote to memory of 1044	2584	Free Ride Games.exe	35
PID 2584 wrote to memory of 1044	2584	Free Ride Games.exe	35
PID 1252 wrote to memory of 2224	1252	cmhelper.exe	37
PID 1252 wrote to memory of 2224	1252	cmhelper.exe	37
PID 1252 wrote to memory of 2224	1252	cmhelper.exe	37
PID 1252 wrote to memory of 2224	1252	cmhelper.exe	37
PID 2584 wrote to memory of 848	2584	Free Ride Games.exe	38
PID 2584 wrote to memory of 848	2584	Free Ride Games.exe	38
PID 2584 wrote to memory of 848	2584	Free Ride Games.exe	38
PID 2584 wrote to memory of 848	2584	Free Ride Games.exe	38
PID 2140 wrote to memory of 1740	2140	cmhelper.exe	40
PID 2140 wrote to memory of 1740	2140	cmhelper.exe	40
PID 2140 wrote to memory of 1740	2140	cmhelper.exe	40
PID 2140 wrote to memory of 1740	2140	cmhelper.exe	40

C:\Users\Admin\AppData\Local\Temp\1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fcb27b99fc6fcb9b7f83ccc8904e79c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
  "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '751350' m 'freegame001' t '0' l 'Default'"
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    UPR
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:848

C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:1592

C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:1972

C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

Filesize
23B

MD5
4174cb800274e3c271f7e53ae1b9ae35

SHA1
6ac0ca77eef3b68c8db3349f1ceb0c8083450642

SHA256
d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e

SHA512
c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

Filesize
120B

MD5
f63db0e6e8ac6d8d16baaaed4edc4379

SHA1
301de378cbd76b2fc932ba49f4b25c4e6aa45f25

SHA256
33b4eac7a9ea1ee19695069737cd8998466762aeebad0dc2763f44cb7a70f4cd

SHA512
bccac584412907d7dde82b699c9e84be4e8b90d5c583fa10ebbbdcd1ee2556ed7ec1074430511986e123a7cc127f98af28e6f425db3071d0d63218116c1ff65c

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

Filesize
237B

MD5
44f77b0e4505f9a8adf11bdbeace9fa0

SHA1
adb3645e42fa4c41968d92e5a06b274db77d2ea5

SHA256
a6c321dab332711be1049753905578f1c35e6f07f7ef8dabe65d5e70b7df8718

SHA512
63c55efc918ba25052aa4c0c8e80e0212e5655b8c6c78e87acc0546ef4021e3a770435f3dd092d2652e04969b80604a6382096f33def4c64ab3994ba2caed5f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

Filesize
351B

MD5
22e69cb2048d3e195435ef7fe77206c1

SHA1
5ce30eeabbf07b8878cfad540c117b802eaf1727

SHA256
441544f83a1171b53b1e6500cc268a6fd12d3d72028252457c372f58648411f5

SHA512
c0d5bc9d5c0ece633e12876cd937ec190d1b9ced4554c64c6a82e543af5714c719853db3b1f20539ab33a67c588f539c8ca551ee1c5050152b5df79142d69adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe

Filesize
234KB

MD5
3a9774028e1e3968b8c202fd199d0084

SHA1
6e19763c3f42c8d6596135a7566bef07a0cbeadd

SHA256
93a63465ea363661a141043c404f5b94ab9ac6cfeee3fd158bdf4e1fc50e3af5

SHA512
ea7e67887d7b8fd3e6049ee1ba7a786bb895158279e464c5c7a35e323aefac34e81e5515e493acf447953a08f13b94024c4a460ebc77f03ef0d305feb8b81d06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XS4XZB8F.txt

Filesize
324B

MD5
0af09358886c77a760bc1e625df7ee81

SHA1
bd06bc1a8761c852fa3d98ad70b4d5cb5f115891

SHA256
ace3fcdf98fa0dd576df5da5ed66d68630a29776dbf19b4745e141d4eb51127b

SHA512
45d2c558dbf54db343cc4908fc1fc456780c00d416d57cb2b989bf40cf839818348f0090af6b64a6f546e51d4d97792a4a1b0cf5ebbeecafcb5ad8d06d5c9a2d

Download Submit
\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

Filesize
504KB

MD5
23cad4075e1fd5d47c0434fef549efde

SHA1
d7cdc7cb933466474986ae37fc7ebefdad601aaf

SHA256
18f4519d20252bf579b887adec25554ac412bd79604547cca12f9f589549f952

SHA512
e4176411caac89db8dd073f2b47b7970168dacad4cdecc6edae310591e279149430b10ab1f956a7722ab22677ca893bfc4eb3fe17009b9b73a95e288c12c89b1

Download Submit
\Users\Admin\AppData\Local\Temp\SDM143\Splasher.dll

Filesize
475KB

MD5
41d94c8eb8cb17e04f8ec6e14132f9ca

SHA1
add92b031eb36b26335763780df88bca58636ed7

SHA256
2e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96

SHA512
0561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7

Download Submit
\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

Filesize
171KB

MD5
5cf0fba9e8775382233c8e63e52c838a

SHA1
b2a092f71eff0f6916652d7f3bfde9204eda5636

SHA256
7d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5

SHA512
73489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/2344-63-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2500-73-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2584-165-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-161-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-51-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2584-151-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-179-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-154-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-155-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-157-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-159-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-177-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-163-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-47-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2584-167-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-169-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-171-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-173-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2584-175-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2784-43-0x0000000003770000-0x00000000038C3000-memory.dmp

Filesize
1.3MB

Download
memory/2784-153-0x0000000003770000-0x00000000038C3000-memory.dmp

Filesize
1.3MB

Download