Overview
overview
7Static
static
745dd116e52...18.exe
windows7-x64
745dd116e52...18.exe
windows10-2004-x64
7$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/SDM1...er.dll
windows7-x64
7$TEMP/SDM1...er.dll
windows10-2004-x64
7$TEMP/SDM1...es.exe
windows7-x64
7$TEMP/SDM1...es.exe
windows10-2004-x64
7$TEMP/SDM1...er.dll
windows7-x64
1$TEMP/SDM1...er.dll
windows10-2004-x64
3$TEMP/SDM1...er.exe
windows7-x64
1$TEMP/SDM1...er.exe
windows10-2004-x64
1$TEMP/SDM1...ll.dll
windows7-x64
7$TEMP/SDM1...ll.dll
windows10-2004-x64
7Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:01
Behavioral task
behavioral1
Sample
45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$TEMP/SDM143/Splasher.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$TEMP/SDM143/Splasher.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win10v2004-20240426-en
General
-
Target
45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
45dd116e52fb1392286d3eb314f6acd1
-
SHA1
d758492f1daa1abf4c2487cb15e7a2c597577001
-
SHA256
3c0ad5ebd56e8f848469e5582af02388be4c98d3b34403c21d900112ed23a71b
-
SHA512
cf81a384c32be82e81cdcd5e15830f60c879e1d7a7e56a55b2a4b77d84da7eb4fd42e27b37fa008c8bc1e0c7b0e002d1c555c7ff4ac898419b61a1f5a216074c
-
SSDEEP
24576:E0X2vzptbfKL1oX1Y5wrrRsrW7RdYxMn4iuKbQaqfQN+Qfsq7:1Gvz5Xa0Nsr4Qx64qfqqB0q7
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000016455-46.dat acprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000600000001611e-40.dat upx behavioral1/memory/2644-45-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/files/0x0006000000016455-46.dat upx behavioral1/memory/2644-51-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2644-53-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2644-153-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-156-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-157-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-159-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-161-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-163-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-165-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-167-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-169-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-171-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-173-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-175-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-177-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-179-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2644-181-0x0000000000400000-0x0000000000553000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Free Ride Games.exe File opened (read-only) \??\B: Free Ride Games.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Free Ride Games.exe -
Executes dropped EXE 13 IoCs
pid Process 2644 Free Ride Games.exe 2996 cmhelper.exe 1632 cmhelper.exe 2580 cmhelper.exe 2608 cmhelper.exe 620 cmhelper.exe 1616 cmhelper.exe 2224 cmhelper.exe 1872 cmhelper.exe 1588 cmhelper.exe 1540 cmhelper.exe 2400 cmhelper.exe 852 cmhelper.exe -
Loads dropped DLL 18 IoCs
pid Process 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 1632 cmhelper.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 620 cmhelper.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 1872 cmhelper.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 2400 cmhelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Free Ride Games.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Free Ride Games.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main Free Ride Games.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2644 Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2644 Free Ride Games.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe 2644 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2644 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2644 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2644 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 28 PID 2044 wrote to memory of 2644 2044 45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe 28 PID 2644 wrote to memory of 2996 2644 Free Ride Games.exe 29 PID 2644 wrote to memory of 2996 2644 Free Ride Games.exe 29 PID 2644 wrote to memory of 2996 2644 Free Ride Games.exe 29 PID 2644 wrote to memory of 2996 2644 Free Ride Games.exe 29 PID 1632 wrote to memory of 2580 1632 cmhelper.exe 31 PID 1632 wrote to memory of 2580 1632 cmhelper.exe 31 PID 1632 wrote to memory of 2580 1632 cmhelper.exe 31 PID 1632 wrote to memory of 2580 1632 cmhelper.exe 31 PID 2644 wrote to memory of 2608 2644 Free Ride Games.exe 32 PID 2644 wrote to memory of 2608 2644 Free Ride Games.exe 32 PID 2644 wrote to memory of 2608 2644 Free Ride Games.exe 32 PID 2644 wrote to memory of 2608 2644 Free Ride Games.exe 32 PID 620 wrote to memory of 1616 620 cmhelper.exe 34 PID 620 wrote to memory of 1616 620 cmhelper.exe 34 PID 620 wrote to memory of 1616 620 cmhelper.exe 34 PID 620 wrote to memory of 1616 620 cmhelper.exe 34 PID 2644 wrote to memory of 2224 2644 Free Ride Games.exe 35 PID 2644 wrote to memory of 2224 2644 Free Ride Games.exe 35 PID 2644 wrote to memory of 2224 2644 Free Ride Games.exe 35 PID 2644 wrote to memory of 2224 2644 Free Ride Games.exe 35 PID 1872 wrote to memory of 1588 1872 cmhelper.exe 37 PID 1872 wrote to memory of 1588 1872 cmhelper.exe 37 PID 1872 wrote to memory of 1588 1872 cmhelper.exe 37 PID 1872 wrote to memory of 1588 1872 cmhelper.exe 37 PID 2644 wrote to memory of 1540 2644 Free Ride Games.exe 38 PID 2644 wrote to memory of 1540 2644 Free Ride Games.exe 38 PID 2644 wrote to memory of 1540 2644 Free Ride Games.exe 38 PID 2644 wrote to memory of 1540 2644 Free Ride Games.exe 38 PID 2400 wrote to memory of 852 2400 cmhelper.exe 40 PID 2400 wrote to memory of 852 2400 cmhelper.exe 40 PID 2400 wrote to memory of 852 2400 cmhelper.exe 40 PID 2400 wrote to memory of 852 2400 cmhelper.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '523950' m 'freegamecpa002' t '0' l 'Default'"2⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPR3⤵
- Executes dropped EXE
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeR2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD54174cb800274e3c271f7e53ae1b9ae35
SHA16ac0ca77eef3b68c8db3349f1ceb0c8083450642
SHA256d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e
SHA512c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd
-
Filesize
124B
MD514f327e5d6e5fd90c10bc9e5643d7079
SHA10998936414cd8b384c7ea7f530a58dcde19be79e
SHA256d8b674d9972a5b6ec4fcefce4af03db105b329bfa8fcd41dd61d7345396baec1
SHA512360432ba7da95b9c7cd93942c4f62c1322232c26ce21f30ae22a10957c974ed5dc65d36a908992915a0837d7ec10a6b9d5e6745548162488871768a2d0acd348
-
Filesize
242B
MD577aa5b00751e21f30f2e539789a17d12
SHA1d3030a3a04d08f0b310750ce2928c03751ee8328
SHA2562d8c136788e85960a253f577f2050ec6aff41027b7dd125fbd99c86f52e44471
SHA5128054e7a00b9b82f36bef1a0f350222c0a6449335e3f926a895cce25f052f2c57b291bb32539808165d988459dc32942fb5c3463da1c2294d792e5ba47296c846
-
Filesize
357B
MD5446d2dd97d848bb144e4e97f4f3746e7
SHA1d6635fe76f3d4a449107b68d0bf9225a741a4acd
SHA256fd6665749c3ec550c9ecd6a9f68537234cd0bc114a1d6a9cac5beeea7f8b17b1
SHA5122168db27077995bea4849b0e56f2f356bc71a1708b168c0f392c5915d0bb52d75dbeb9ee5c061f587426ca8dc10ccf2af46171e83a1b1cf1ebdacac186aa9e8a
-
Filesize
234KB
MD53a9774028e1e3968b8c202fd199d0084
SHA16e19763c3f42c8d6596135a7566bef07a0cbeadd
SHA25693a63465ea363661a141043c404f5b94ab9ac6cfeee3fd158bdf4e1fc50e3af5
SHA512ea7e67887d7b8fd3e6049ee1ba7a786bb895158279e464c5c7a35e323aefac34e81e5515e493acf447953a08f13b94024c4a460ebc77f03ef0d305feb8b81d06
-
Filesize
171KB
MD55cf0fba9e8775382233c8e63e52c838a
SHA1b2a092f71eff0f6916652d7f3bfde9204eda5636
SHA2567d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5
SHA51273489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25
-
Filesize
330B
MD53cf94f85e52b31f8ae911e10694d3b48
SHA1797044c6dd2fb313eff4b078ad3cadc2c63de64f
SHA2560bee39a1c0d2512ca2412057d4f40023e8c960c1cebcc18f8bed091c71006f3c
SHA5122c47b59f25d2d9bdaf50dea54df1d0b67d909fb1d287e663ff9c78f68df7fb0713f81a3d5eca048ed9780dc6c2590ef36211b03c000a46532ccc7baeef85bd46
-
Filesize
504KB
MD523cad4075e1fd5d47c0434fef549efde
SHA1d7cdc7cb933466474986ae37fc7ebefdad601aaf
SHA25618f4519d20252bf579b887adec25554ac412bd79604547cca12f9f589549f952
SHA512e4176411caac89db8dd073f2b47b7970168dacad4cdecc6edae310591e279149430b10ab1f956a7722ab22677ca893bfc4eb3fe17009b9b73a95e288c12c89b1
-
Filesize
475KB
MD541d94c8eb8cb17e04f8ec6e14132f9ca
SHA1add92b031eb36b26335763780df88bca58636ed7
SHA2562e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96
SHA5120561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d