Overview
overview
7Static
static
7201df4e8a9...18.exe
windows7-x64
7201df4e8a9...18.exe
windows10-2004-x64
7$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/SDM1...er.dll
windows7-x64
7$TEMP/SDM1...er.dll
windows10-2004-x64
7$TEMP/SDM1...es.exe
windows7-x64
7$TEMP/SDM1...es.exe
windows10-2004-x64
7$TEMP/SDM1...er.dll
windows7-x64
1$TEMP/SDM1...er.dll
windows10-2004-x64
3$TEMP/SDM1...er.exe
windows7-x64
1$TEMP/SDM1...er.exe
windows10-2004-x64
1$TEMP/SDM1...ll.dll
windows7-x64
7$TEMP/SDM1...ll.dll
windows10-2004-x64
7Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 09:01
Behavioral task
behavioral1
Sample
201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$TEMP/SDM143/Splasher.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$TEMP/SDM143/Splasher.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win10v2004-20240419-en
General
-
Target
201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
201df4e8a9f4ed1210d9f6e969e7d0d6
-
SHA1
4fdc5b02e92874e7eccba4d77c8815b44fc80230
-
SHA256
36026ae67867a75d0a02b8f7d4d72f6b52790ef55d8eee8a326af1de95802896
-
SHA512
b0d9600757f8a6f2a2227c3fe8e4161d862dbfe4b2e3e3091668cd37d079f86c9e6716f8e539649e48689e59d745b5d274481a2b5b37a9e43a35e40b546c53a9
-
SSDEEP
24576:AQX2vzpbZGaKBVlEn+f3VgikCFkJ9k4i/izgNwMqfQN+Qfsqz:jGvz7GfY+f3VOCiJS46iwwMqqB0qz
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015d87-46.dat acprotect -
Executes dropped EXE 13 IoCs
pid Process 2432 Free Ride Games.exe 2488 cmhelper.exe 1860 cmhelper.exe 2740 cmhelper.exe 2856 cmhelper.exe 2908 cmhelper.exe 2400 cmhelper.exe 1772 cmhelper.exe 1604 cmhelper.exe 1904 cmhelper.exe 2484 cmhelper.exe 1292 cmhelper.exe 848 cmhelper.exe -
Loads dropped DLL 18 IoCs
pid Process 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 1860 cmhelper.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 2908 cmhelper.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 1604 cmhelper.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 1292 cmhelper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000015d5f-40.dat upx behavioral1/memory/2432-45-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2612-44-0x0000000003750000-0x00000000038B4000-memory.dmp upx behavioral1/files/0x0006000000015d87-46.dat upx behavioral1/memory/2432-52-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2432-152-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-153-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2432-155-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-156-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-158-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-160-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-162-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-164-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-166-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-168-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-170-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-172-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-174-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-176-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-178-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2432-180-0x0000000000400000-0x0000000000564000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Free Ride Games.exe File opened (read-only) \??\B: Free Ride Games.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Free Ride Games.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Free Ride Games.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Free Ride Games.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main Free Ride Games.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2432 Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2432 Free Ride Games.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe 2432 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2432 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2432 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2432 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2432 2612 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2488 2432 Free Ride Games.exe 29 PID 2432 wrote to memory of 2488 2432 Free Ride Games.exe 29 PID 2432 wrote to memory of 2488 2432 Free Ride Games.exe 29 PID 2432 wrote to memory of 2488 2432 Free Ride Games.exe 29 PID 1860 wrote to memory of 2740 1860 cmhelper.exe 31 PID 1860 wrote to memory of 2740 1860 cmhelper.exe 31 PID 1860 wrote to memory of 2740 1860 cmhelper.exe 31 PID 1860 wrote to memory of 2740 1860 cmhelper.exe 31 PID 2432 wrote to memory of 2856 2432 Free Ride Games.exe 32 PID 2432 wrote to memory of 2856 2432 Free Ride Games.exe 32 PID 2432 wrote to memory of 2856 2432 Free Ride Games.exe 32 PID 2432 wrote to memory of 2856 2432 Free Ride Games.exe 32 PID 2908 wrote to memory of 2400 2908 cmhelper.exe 34 PID 2908 wrote to memory of 2400 2908 cmhelper.exe 34 PID 2908 wrote to memory of 2400 2908 cmhelper.exe 34 PID 2908 wrote to memory of 2400 2908 cmhelper.exe 34 PID 2432 wrote to memory of 1772 2432 Free Ride Games.exe 35 PID 2432 wrote to memory of 1772 2432 Free Ride Games.exe 35 PID 2432 wrote to memory of 1772 2432 Free Ride Games.exe 35 PID 2432 wrote to memory of 1772 2432 Free Ride Games.exe 35 PID 1604 wrote to memory of 1904 1604 cmhelper.exe 37 PID 1604 wrote to memory of 1904 1604 cmhelper.exe 37 PID 1604 wrote to memory of 1904 1604 cmhelper.exe 37 PID 1604 wrote to memory of 1904 1604 cmhelper.exe 37 PID 2432 wrote to memory of 2484 2432 Free Ride Games.exe 38 PID 2432 wrote to memory of 2484 2432 Free Ride Games.exe 38 PID 2432 wrote to memory of 2484 2432 Free Ride Games.exe 38 PID 2432 wrote to memory of 2484 2432 Free Ride Games.exe 38 PID 1292 wrote to memory of 848 1292 cmhelper.exe 40 PID 1292 wrote to memory of 848 1292 cmhelper.exe 40 PID 1292 wrote to memory of 848 1292 cmhelper.exe 40 PID 1292 wrote to memory of 848 1292 cmhelper.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '725350' m 'FRG_Website' t '0' l 'Default'"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPR3⤵
- Executes dropped EXE
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2484
-
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeR2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD54174cb800274e3c271f7e53ae1b9ae35
SHA16ac0ca77eef3b68c8db3349f1ceb0c8083450642
SHA256d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e
SHA512c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd
-
Filesize
120B
MD5ff39c9539bceb07d5abefaf4a93386ad
SHA17576a04c03feb0c88c58834c2e54a0dd3ab8fdcb
SHA256a9b5dc1274a146ce141b409dea5a84e4a44c59d7cadd367859335d4d52deaef1
SHA512c3508558c7da4107aa82c56af4e47e2b57282e502e7bde15155caa37c57e5ca0402f13fb31dc09ca2ae75cf346adccd3f534b87677f056bb70abeba32052d254
-
Filesize
237B
MD584db210b8748ae2489d2b0050ed213b1
SHA14acf88ebf1c95041bcab6ade53d862ab9dbbb8f7
SHA25694e7db7f6587dfa286423740aad31445abdbaf55de052ba496bd0d681d6b5dcf
SHA512e0d1ab83687eab8910691783e287f9a0cb5cff50b6113f6b068142e752483906c9e1567ac8481e3bdc47a49ebb30e48bc7d364e80444b80d4611ee2c0b069d16
-
Filesize
351B
MD5809471c87c07c10440f37c1d9dd2bbb5
SHA11a7ed896e012d2b536a241189f1e63960a1ce3da
SHA2565f222bf9acdcabb89a91c695dedc626edcfb7938362c5c4dfbd0eac9950f3024
SHA512ac6f608124bac8660a1b4b7fb9a6f7d08a122790d5ae4fa4abbae47fb74dcec5ce211c046567ecbd3f4ded18ee98a74426f06b58a1c9d3b64b4550ab05ff7c9e
-
Filesize
234KB
MD551d301714c7361192d6305f6c46d90d1
SHA1f546aac6dfab1187228df393e0db2c21e4fee1d0
SHA256c9245047b86f8359a7f313434b85af481008e8cdf9579fd55aff8b8fbfb5ebcb
SHA5129b6149c9c099f9cea3d574723d9ff6678d4f91ae7408349738a999d4986ce3cb7b4886f2972f6f1d3b27f7f7453a764f05c50d383f7054234b4ae55437d369b6
-
Filesize
171KB
MD55cf0fba9e8775382233c8e63e52c838a
SHA1b2a092f71eff0f6916652d7f3bfde9204eda5636
SHA2567d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5
SHA51273489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25
-
Filesize
324B
MD506b24c53d2a4013ebb004cf284e474ff
SHA1d84fdc8a4c2b05579e7f68831dae2513c7629c99
SHA25629b9cee2bba2cb6be8a257d6b5aa16a9a53eadd80172f69159829168a60a2e5e
SHA5123fe25c065aeba5baee74663e1cdf13b621b7aa78c698416c25451378cc0bd54ec80504e7d2b80b9776a6c1d52b5a88feeb388bc5197bf77c94d2f50dfa7a6621
-
Filesize
519KB
MD52db35d715864b8846f21dc95756171e0
SHA1ed9030449256bd21e4f041961fb27bbbeddd7fff
SHA256854bb62475a4b700a7ec49651610d050f1651491d0148c4bd4928b18bdc0436b
SHA51265b62a0450a60f736af6ac42d6bec252160feac0681cc6319cbd32e76d631a4ea6d206dd62cee5cc00dd22e3de8dbf042024caa22d4288f8b932276f7b93898f
-
Filesize
475KB
MD541d94c8eb8cb17e04f8ec6e14132f9ca
SHA1add92b031eb36b26335763780df88bca58636ed7
SHA2562e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96
SHA5120561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d