Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7879f0eeb24...18.exe
windows7-x64
7879f0eeb24...18.exe
windows10-2004-x64
7$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/SDM1...er.dll
windows7-x64
7$TEMP/SDM1...er.dll
windows10-2004-x64
7$TEMP/SDM1...es.exe
windows7-x64
7$TEMP/SDM1...es.exe
windows10-2004-x64
7$TEMP/SDM1...er.dll
windows7-x64
1$TEMP/SDM1...er.dll
windows10-2004-x64
3$TEMP/SDM1...er.exe
windows7-x64
1$TEMP/SDM1...er.exe
windows10-2004-x64
1$TEMP/SDM1...ll.dll
windows7-x64
7$TEMP/SDM1...ll.dll
windows10-2004-x64
7Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 16:23
Behavioral task
behavioral1
Sample
879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$TEMP/SDM143/Splasher.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$TEMP/SDM143/Splasher.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win10v2004-20240426-en
General
-
Target
879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
879f0eeb24b183f4f35a09bb474f7fec
-
SHA1
3f1c6a5fa8f3242f82ee46dbe81a1071bd045a28
-
SHA256
4b04bc91719f8d04209ef9f520fc2cb27e863574fd1f1f9ca95c8c1fef51a9e7
-
SHA512
43942d690188d9785e5560599e03557e714c7021d556a6786dc0560ed60c9fa36a8181c6b2eea45738aef0715a3f8cd73f3c01b3b22ec9dfccd0b544edb6e416
-
SSDEEP
24576:yPX2vzp85e6oUS0FLTIiQ64berdI4iuKbQaqfQN+QfsqV:6Gvz0aUS0lIiQqdI4qfqqB0qV
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015cf5-47.dat acprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000015cce-40.dat upx behavioral1/memory/2136-45-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2416-43-0x00000000036E0000-0x0000000003833000-memory.dmp upx behavioral1/files/0x0006000000015cf5-47.dat upx behavioral1/memory/2136-51-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2136-53-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2136-153-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-154-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2136-156-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-157-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-159-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-161-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-163-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-165-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-167-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-169-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-171-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-173-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-175-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-177-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-179-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/2136-181-0x0000000000400000-0x0000000000553000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Free Ride Games.exe File opened (read-only) \??\B: Free Ride Games.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Free Ride Games.exe -
Executes dropped EXE 13 IoCs
pid Process 2136 Free Ride Games.exe 2264 cmhelper.exe 1616 cmhelper.exe 2792 cmhelper.exe 2836 cmhelper.exe 1468 cmhelper.exe 2504 cmhelper.exe 2452 cmhelper.exe 1600 cmhelper.exe 1644 cmhelper.exe 2772 cmhelper.exe 1544 cmhelper.exe 1552 cmhelper.exe -
Loads dropped DLL 18 IoCs
pid Process 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 1616 cmhelper.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 1468 cmhelper.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 1600 cmhelper.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 1544 cmhelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Free Ride Games.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Free Ride Games.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main Free Ride Games.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2136 Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2136 Free Ride Games.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe 2136 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2136 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2136 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2136 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2136 2416 879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe 28 PID 2136 wrote to memory of 2264 2136 Free Ride Games.exe 29 PID 2136 wrote to memory of 2264 2136 Free Ride Games.exe 29 PID 2136 wrote to memory of 2264 2136 Free Ride Games.exe 29 PID 2136 wrote to memory of 2264 2136 Free Ride Games.exe 29 PID 1616 wrote to memory of 2792 1616 cmhelper.exe 31 PID 1616 wrote to memory of 2792 1616 cmhelper.exe 31 PID 1616 wrote to memory of 2792 1616 cmhelper.exe 31 PID 1616 wrote to memory of 2792 1616 cmhelper.exe 31 PID 2136 wrote to memory of 2836 2136 Free Ride Games.exe 32 PID 2136 wrote to memory of 2836 2136 Free Ride Games.exe 32 PID 2136 wrote to memory of 2836 2136 Free Ride Games.exe 32 PID 2136 wrote to memory of 2836 2136 Free Ride Games.exe 32 PID 1468 wrote to memory of 2504 1468 cmhelper.exe 34 PID 1468 wrote to memory of 2504 1468 cmhelper.exe 34 PID 1468 wrote to memory of 2504 1468 cmhelper.exe 34 PID 1468 wrote to memory of 2504 1468 cmhelper.exe 34 PID 2136 wrote to memory of 2452 2136 Free Ride Games.exe 35 PID 2136 wrote to memory of 2452 2136 Free Ride Games.exe 35 PID 2136 wrote to memory of 2452 2136 Free Ride Games.exe 35 PID 2136 wrote to memory of 2452 2136 Free Ride Games.exe 35 PID 1600 wrote to memory of 1644 1600 cmhelper.exe 37 PID 1600 wrote to memory of 1644 1600 cmhelper.exe 37 PID 1600 wrote to memory of 1644 1600 cmhelper.exe 37 PID 1600 wrote to memory of 1644 1600 cmhelper.exe 37 PID 2136 wrote to memory of 2772 2136 Free Ride Games.exe 38 PID 2136 wrote to memory of 2772 2136 Free Ride Games.exe 38 PID 2136 wrote to memory of 2772 2136 Free Ride Games.exe 38 PID 2136 wrote to memory of 2772 2136 Free Ride Games.exe 38 PID 1544 wrote to memory of 1552 1544 cmhelper.exe 40 PID 1544 wrote to memory of 1552 1544 cmhelper.exe 40 PID 1544 wrote to memory of 1552 1544 cmhelper.exe 40 PID 1544 wrote to memory of 1552 1544 cmhelper.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\879f0eeb24b183f4f35a09bb474f7fec_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '670850' m 'playfincom' t '0' l 'Default'"2⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPR3⤵
- Executes dropped EXE
PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeR2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:1552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD54174cb800274e3c271f7e53ae1b9ae35
SHA16ac0ca77eef3b68c8db3349f1ceb0c8083450642
SHA256d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e
SHA512c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd
-
Filesize
121B
MD564450d68260d99ff1743063d6a5149ae
SHA1ccf91ef7fd71cedc26c50462cf690c7dbcd548c3
SHA256578e40f805ea751d9b17cdc0fbad278830807a332661701e2110b97022a45022
SHA512c3f7ca31ddeeaa9c1dd143660e8b2c118fbc14403649aa7bf8594150269b5a1b6c230155dc4ee67f375f2d39f45b4c10fbca58fe2458d307072f67c248383abc
-
Filesize
239B
MD54be1177a880037cc4ec8ec1c6edb84a5
SHA183eeb059fbda6d096fe8ec97c77d362f7e8cfe6a
SHA256953dc497a25d615f93c3facf54fde1aaabfdac75e1d11361e6e4cbd5bdb27df9
SHA5122a5af90bd3d6c9069113851361aacdb026d59b6bf3517d343272ff9c3e100d94a74a1306fee0f99d84127f7ede002476c6f99526cfd97290f89d039148ef762a
-
Filesize
355B
MD5ee24dc02ce32d7c8cceefb94081fbfcd
SHA15ac9b9afd255d90ea3f236a8e412126a12211396
SHA2562985663b1ad70c660ba4f3efa61d25cd8665a30c4a34bf43153bec1206a6cb40
SHA5126e5fc870070241e94fcfd2f3527a5b74fa36f15dd0474b17a11e3586535f1ac9e3e4695880c5b3a7eafa847252e1cc110ea591d571de7cbc630cd4215e8e521d
-
Filesize
234KB
MD53a9774028e1e3968b8c202fd199d0084
SHA16e19763c3f42c8d6596135a7566bef07a0cbeadd
SHA25693a63465ea363661a141043c404f5b94ab9ac6cfeee3fd158bdf4e1fc50e3af5
SHA512ea7e67887d7b8fd3e6049ee1ba7a786bb895158279e464c5c7a35e323aefac34e81e5515e493acf447953a08f13b94024c4a460ebc77f03ef0d305feb8b81d06
-
Filesize
328B
MD52717904376239070bb02440f30dc7e60
SHA1b27b3c38955a2ea9125cf054aebe45c30c14ba8f
SHA2561251a5745ff525f16f4d339a82c86f56f950ebdc31936eb2737c3160ed662cf8
SHA512c2d931f77bf0c8df00c07aeebba315a9a443d4623af3060ad9120a53c4c0fcef3bf62e32b2002ccbf392d20338bfedbae3840ba1f88e05f9ab2a7aa9ba2950f3
-
Filesize
504KB
MD5f7a4ce326cd8b7a2e3e8b1ad80aba89a
SHA1fc00c30174b1c61c4400cd94285f944728b8c1fd
SHA25678793e27ce8c0794a036423e65d351851ed662b941f33a763f3db4ef0a6b546f
SHA51274c7fdf75f66e39708de9e89e8aebb0a38b31c3c4b170dc6cc943b3aeee900ed080ae3d77af18dd54dcadfa4ecca810d01b3b3cdb35216cb8e9b028e668fb2b1
-
Filesize
475KB
MD541d94c8eb8cb17e04f8ec6e14132f9ca
SHA1add92b031eb36b26335763780df88bca58636ed7
SHA2562e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96
SHA5120561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7
-
Filesize
171KB
MD55cf0fba9e8775382233c8e63e52c838a
SHA1b2a092f71eff0f6916652d7f3bfde9204eda5636
SHA2567d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5
SHA51273489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d