Analysis

  • max time kernel
    140s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 09:01

General

  • Target

    201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    201df4e8a9f4ed1210d9f6e969e7d0d6

  • SHA1

    4fdc5b02e92874e7eccba4d77c8815b44fc80230

  • SHA256

    36026ae67867a75d0a02b8f7d4d72f6b52790ef55d8eee8a326af1de95802896

  • SHA512

    b0d9600757f8a6f2a2227c3fe8e4161d862dbfe4b2e3e3091668cd37d079f86c9e6716f8e539649e48689e59d745b5d274481a2b5b37a9e43a35e40b546c53a9

  • SSDEEP

    24576:AQX2vzpbZGaKBVlEn+f3VgikCFkJ9k4i/izgNwMqfQN+Qfsqz:jGvz7GfY+f3VOCiJS46iwwMqqB0qz

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 33 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
      "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '725350' m 'FRG_Website' t '0' l 'Default'"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHR
        3⤵
        • Executes dropped EXE
        PID:1264
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPR
        3⤵
        • Executes dropped EXE
        PID:1924
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        ER
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          R
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:3852
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHW
        3⤵
        • Executes dropped EXE
        PID:3544
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPW
        3⤵
        • Executes dropped EXE
        PID:3136
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        EW
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          W
          4⤵
          • Executes dropped EXE
          PID:2972
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHW
        3⤵
        • Executes dropped EXE
        PID:4188
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPW
        3⤵
        • Executes dropped EXE
        PID:3300
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        EW
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          W
          4⤵
          • Executes dropped EXE
          PID:2068
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHW
        3⤵
        • Executes dropped EXE
        PID:1756
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPW
        3⤵
        • Executes dropped EXE
        PID:2884
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        EW
        3⤵
        • Executes dropped EXE
        PID:376
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          W
          4⤵
          • Executes dropped EXE
          PID:2004
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HR
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      R
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:4600
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      R
      2⤵
      • Executes dropped EXE
      PID:3636
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:3948
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:3168
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:2156
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:4300
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:4784
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
    1⤵
    • Executes dropped EXE
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:1340

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

          Filesize

          120B

          MD5

          0c45fa8b2ade0350fb4b365d0f3bd0c5

          SHA1

          40c21f3e32cf6a5d34fe28ee80cab82cc4d18f83

          SHA256

          04ab457337fb730f1020e7f98fd4ec700ca8a352e8d93ac1f136136361f1f4cd

          SHA512

          a451cf97311404234294ee81c5852a583c8a353b47c1adeb1f449abfe6cbb5c36c21d2242ab67851f614064e811542dabd2aa7e085b05bee97fd59dc1958e35d

        • C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

          Filesize

          237B

          MD5

          8ac860802471226f56ec78bd74859e10

          SHA1

          9a5c7fd8bdb0747588a05b0a86a23e43d497eed5

          SHA256

          ed9c4a2c292e6cb6800b44404eced2a9e60544679311189a01690a71241d75c4

          SHA512

          05c353cbf54b62eefb2d54425867f6f4b25f192366f0b7c2bb0ac931103592e8af170c457d7e55412daf1df5826f64f7d4e58d7fdab3e1a4ed4fa57ba2a92bf3

        • C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

          Filesize

          351B

          MD5

          ffcbdf4bab636fe4ece02305c0580d5c

          SHA1

          1aab2b8fa7592e885a4444f836e1baa98150efc2

          SHA256

          d7b89218e7423b7227601b5afef3a325cf3b8250b540e6e5aa07b8ee3536e064

          SHA512

          40eabf20f3fe87c8733a55ffd011468260b0b869b1058ba979c7593ad94622c46ee1b5e2112c4bdfd19d3f8fbf23fa5f962cb0d42f71bd1ceebab87ce749baa0

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          207B

          MD5

          eea4457f0b44ae8a1b59a9e48289b303

          SHA1

          b1bc54122872c9f3fca44b9e0359c45567f5d341

          SHA256

          e4eee505da10a57bcac03f202171ce83d9f06a5b959a6de87592a7ffb6b91b45

          SHA512

          96eec95c7b06245d44fd2509ee7f6a1d6a3c228f8248d449266a99ff05c201c9b8bbb971785dbdd7409be09ae86780a58147ccd06356d64d57677e2722150967

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          306B

          MD5

          93c3979e09909142e87bae30948b404a

          SHA1

          9bc51c81ec4e429a052e0b4fb89944b5e016d535

          SHA256

          f44147c2181701048dc6cc48e4301ac66c2ebdf9d2818af00611730852c6a0f4

          SHA512

          2d57b627edeb7774a2ee9154a526c5afe1126caa244cc8d77ac0c5d7af8ac835e6a1232a0e3c2388bff6648b586af0f59e94c384aec38e0e74070f7d43e5c2f6

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          105B

          MD5

          965f41c6fefade8f58ac045908fc16c3

          SHA1

          ff476c184a653b9d774087131231ed1f9c915450

          SHA256

          2753fc1956b8c85ba9398ed738b0f703cb02578ad3b04ef3f0fe9fd0461f77cd

          SHA512

          5de287633907934c142ac982dd1e000a3c7a3f62c9e08b405023e9dd9b62e032819703a9337a838589947da67e9deb2fe58d29828aa42f05557994b44b8326b8

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          23B

          MD5

          4174cb800274e3c271f7e53ae1b9ae35

          SHA1

          6ac0ca77eef3b68c8db3349f1ceb0c8083450642

          SHA256

          d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e

          SHA512

          c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd

        • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

          Filesize

          519KB

          MD5

          2db35d715864b8846f21dc95756171e0

          SHA1

          ed9030449256bd21e4f041961fb27bbbeddd7fff

          SHA256

          854bb62475a4b700a7ec49651610d050f1651491d0148c4bd4928b18bdc0436b

          SHA512

          65b62a0450a60f736af6ac42d6bec252160feac0681cc6319cbd32e76d631a4ea6d206dd62cee5cc00dd22e3de8dbf042024caa22d4288f8b932276f7b93898f

        • C:\Users\Admin\AppData\Local\Temp\SDM143\Splasher.dll

          Filesize

          475KB

          MD5

          41d94c8eb8cb17e04f8ec6e14132f9ca

          SHA1

          add92b031eb36b26335763780df88bca58636ed7

          SHA256

          2e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96

          SHA512

          0561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7

        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe

          Filesize

          234KB

          MD5

          51d301714c7361192d6305f6c46d90d1

          SHA1

          f546aac6dfab1187228df393e0db2c21e4fee1d0

          SHA256

          c9245047b86f8359a7f313434b85af481008e8cdf9579fd55aff8b8fbfb5ebcb

          SHA512

          9b6149c9c099f9cea3d574723d9ff6678d4f91ae7408349738a999d4986ce3cb7b4886f2972f6f1d3b27f7f7453a764f05c50d383f7054234b4ae55437d369b6

        • C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

          Filesize

          171KB

          MD5

          5cf0fba9e8775382233c8e63e52c838a

          SHA1

          b2a092f71eff0f6916652d7f3bfde9204eda5636

          SHA256

          7d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5

          SHA512

          73489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25

        • C:\Users\Admin\AppData\Local\Temp\nsd349E.tmp\System.dll

          Filesize

          11KB

          MD5

          a436db0c473a087eb61ff5c53c34ba27

          SHA1

          65ea67e424e75f5065132b539c8b2eda88aa0506

          SHA256

          75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

          SHA512

          908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

        • memory/412-50-0x0000000010000000-0x000000001009F000-memory.dmp

          Filesize

          636KB

        • memory/412-52-0x0000000010000000-0x000000001009F000-memory.dmp

          Filesize

          636KB

        • memory/412-47-0x0000000010000000-0x000000001009F000-memory.dmp

          Filesize

          636KB

        • memory/412-43-0x0000000000400000-0x0000000000564000-memory.dmp

          Filesize

          1.4MB

        • memory/412-189-0x0000000000400000-0x0000000000564000-memory.dmp

          Filesize

          1.4MB

        • memory/2004-147-0x0000000000040000-0x000000000007A000-memory.dmp

          Filesize

          232KB

        • memory/2068-121-0x0000000000530000-0x000000000056A000-memory.dmp

          Filesize

          232KB

        • memory/2156-110-0x0000000000890000-0x00000000008CA000-memory.dmp

          Filesize

          232KB

        • memory/2972-97-0x00000000002D0000-0x000000000030A000-memory.dmp

          Filesize

          232KB

        • memory/3852-73-0x0000000000D70000-0x0000000000DAA000-memory.dmp

          Filesize

          232KB

        • memory/3948-86-0x00000000004B0000-0x00000000004EA000-memory.dmp

          Filesize

          232KB

        • memory/4600-62-0x00000000008A0000-0x00000000008DA000-memory.dmp

          Filesize

          232KB

        • memory/4784-134-0x0000000000AE0000-0x0000000000B1A000-memory.dmp

          Filesize

          232KB