Analysis

  • max time kernel
    140s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 11:01

General

  • Target

    45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    45dd116e52fb1392286d3eb314f6acd1

  • SHA1

    d758492f1daa1abf4c2487cb15e7a2c597577001

  • SHA256

    3c0ad5ebd56e8f848469e5582af02388be4c98d3b34403c21d900112ed23a71b

  • SHA512

    cf81a384c32be82e81cdcd5e15830f60c879e1d7a7e56a55b2a4b77d84da7eb4fd42e27b37fa008c8bc1e0c7b0e002d1c555c7ff4ac898419b61a1f5a216074c

  • SSDEEP

    24576:E0X2vzptbfKL1oX1Y5wrrRsrW7RdYxMn4iuKbQaqfQN+Qfsq7:1Gvz5Xa0Nsr4Qx64qfqqB0q7

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Executes dropped EXE 33 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\45dd116e52fb1392286d3eb314f6acd1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
      "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '523950' m 'freegamecpa002' t '0' l 'Default'"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHR
        3⤵
        • Executes dropped EXE
        PID:3704
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPR
        3⤵
        • Executes dropped EXE
        PID:1980
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        ER
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          R
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:2976
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHW
        3⤵
        • Executes dropped EXE
        PID:1532
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPW
        3⤵
        • Executes dropped EXE
        PID:4460
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        EW
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          W
          4⤵
          • Executes dropped EXE
          PID:2392
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHW
        3⤵
        • Executes dropped EXE
        PID:3804
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPW
        3⤵
        • Executes dropped EXE
        PID:232
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        EW
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          W
          4⤵
          • Executes dropped EXE
          PID:1776
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UHW
        3⤵
        • Executes dropped EXE
        PID:4324
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        UPW
        3⤵
        • Executes dropped EXE
        PID:3660
      • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
        EW
        3⤵
        • Executes dropped EXE
        PID:4268
        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
          W
          4⤵
          • Executes dropped EXE
          PID:4052
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HR
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      R
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:3460
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      R
      2⤵
      • Executes dropped EXE
      PID:1108
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:2592
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:3324
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:4464
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:2980
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:2500
  • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
    "C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
    1⤵
    • Executes dropped EXE
    PID:1848
    • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
      W
      2⤵
      • Executes dropped EXE
      PID:3788

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

          Filesize

          124B

          MD5

          fb3a188212121e1ac2094abcfae9feb0

          SHA1

          f62de839a00d360369a6218599a64063a60d067d

          SHA256

          063fba1a524cd6aa1628198afc8548c1559af8f470acc4c473f3403ecf565d5b

          SHA512

          5405e055e8442c37451f14f4c9252feefbf7dbc07b836b1b7545a1353cbddf8940bc5147c038b933664de9418f27c5ec9b847b392541ddcb0e3d3d6bebe709ea

        • C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat

          Filesize

          242B

          MD5

          8ca0dbdbc8b73478da3ffc9d231b1157

          SHA1

          8eafaac899e8ad11ddbf3456016084eabc09b707

          SHA256

          9b95fdf586d8b33a092fe9c66bf65b15c252d89c076524e9c4ae3850308b92de

          SHA512

          2299a13648819f6b20b7c0008f3f53c144efe143a2fdca55c3a375b3af97208f6d41209357c99617a3a1ea7f8a9f875ad2738e1c458e906b4e912d722bccb53a

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Temp\ietemp1.dat

          Filesize

          309B

          MD5

          47acc7d90289fff59122a831c7501187

          SHA1

          39f8f9bd954a4ce4c865df7172674b163e0a0347

          SHA256

          3b9cf4dbc00dd23a45934c93df0a8ca170bcc34ae8c637a5b87ce30e5cf10d36

          SHA512

          eb4ffd366cb2d411d576ab7a10366db25994c5e6e80ef54eeeae1fcb9ea47830740653c9da5090ba134a25ac823a9cab43321964f36eb3c7884f31ed1f1bb67e

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          23B

          MD5

          4174cb800274e3c271f7e53ae1b9ae35

          SHA1

          6ac0ca77eef3b68c8db3349f1ceb0c8083450642

          SHA256

          d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e

          SHA512

          c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          108B

          MD5

          5ce713e4a2ef901e3a1d5e34f47e7631

          SHA1

          9a293c0aafba9599f3764d79ace141b3f38ae5be

          SHA256

          10ab09d2b5152ff8d8897458eb831d0e44eebf521c8958a6049e137f887c83b1

          SHA512

          620a36b17fabbd0617078316832e3df4c3cd1b0a4ae58e0017c614423b4b0e0c144d26d6ffe6b17a9759b0a0c3ff1444b00d4fe543537d21b159a078840e55ea

        • C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat

          Filesize

          210B

          MD5

          bc74eaa586f2c9ca918aaff5106a345a

          SHA1

          c560c484fce5fc353a61b94cb993521fc704917c

          SHA256

          7aa1352ef69fd198283104bdc2be672dde0fc2635b1a3d4fface1a4ce92d8cc1

          SHA512

          e436c56009da0e41d80055ed4bfa939b9439d814e0240ffcd0cfca7193b5acc5852cc7a1bfa4ffe4f9fa1045870ac5d4b75ecd9efe6db90679e9150f95e239ee

        • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

          Filesize

          504KB

          MD5

          23cad4075e1fd5d47c0434fef549efde

          SHA1

          d7cdc7cb933466474986ae37fc7ebefdad601aaf

          SHA256

          18f4519d20252bf579b887adec25554ac412bd79604547cca12f9f589549f952

          SHA512

          e4176411caac89db8dd073f2b47b7970168dacad4cdecc6edae310591e279149430b10ab1f956a7722ab22677ca893bfc4eb3fe17009b9b73a95e288c12c89b1

        • C:\Users\Admin\AppData\Local\Temp\SDM143\Splasher.dll

          Filesize

          475KB

          MD5

          41d94c8eb8cb17e04f8ec6e14132f9ca

          SHA1

          add92b031eb36b26335763780df88bca58636ed7

          SHA256

          2e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96

          SHA512

          0561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7

        • C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe

          Filesize

          234KB

          MD5

          3a9774028e1e3968b8c202fd199d0084

          SHA1

          6e19763c3f42c8d6596135a7566bef07a0cbeadd

          SHA256

          93a63465ea363661a141043c404f5b94ab9ac6cfeee3fd158bdf4e1fc50e3af5

          SHA512

          ea7e67887d7b8fd3e6049ee1ba7a786bb895158279e464c5c7a35e323aefac34e81e5515e493acf447953a08f13b94024c4a460ebc77f03ef0d305feb8b81d06

        • C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

          Filesize

          171KB

          MD5

          5cf0fba9e8775382233c8e63e52c838a

          SHA1

          b2a092f71eff0f6916652d7f3bfde9204eda5636

          SHA256

          7d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5

          SHA512

          73489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25

        • C:\Users\Admin\AppData\Local\Temp\nsr7252.tmp\System.dll

          Filesize

          11KB

          MD5

          a436db0c473a087eb61ff5c53c34ba27

          SHA1

          65ea67e424e75f5065132b539c8b2eda88aa0506

          SHA256

          75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

          SHA512

          908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

        • memory/1776-111-0x0000000000C40000-0x0000000000C7A000-memory.dmp

          Filesize

          232KB

        • memory/2392-89-0x0000000000680000-0x00000000006BA000-memory.dmp

          Filesize

          232KB

        • memory/2500-117-0x0000000000010000-0x000000000004A000-memory.dmp

          Filesize

          232KB

        • memory/2592-78-0x0000000000FA0000-0x0000000000FDA000-memory.dmp

          Filesize

          232KB

        • memory/2976-71-0x0000000000EB0000-0x0000000000EEA000-memory.dmp

          Filesize

          232KB

        • memory/3460-60-0x00000000006F0000-0x000000000072A000-memory.dmp

          Filesize

          232KB

        • memory/4052-124-0x0000000000780000-0x00000000007BA000-memory.dmp

          Filesize

          232KB

        • memory/4452-52-0x0000000010000000-0x000000001009F000-memory.dmp

          Filesize

          636KB

        • memory/4452-50-0x0000000010000000-0x000000001009F000-memory.dmp

          Filesize

          636KB

        • memory/4452-47-0x0000000010000000-0x000000001009F000-memory.dmp

          Filesize

          636KB

        • memory/4452-44-0x0000000000400000-0x0000000000553000-memory.dmp

          Filesize

          1.3MB

        • memory/4452-153-0x0000000000400000-0x0000000000553000-memory.dmp

          Filesize

          1.3MB

        • memory/4464-96-0x00000000002F0000-0x000000000032A000-memory.dmp

          Filesize

          232KB