Analysis
-
max time kernel
142s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
-
Size
796KB
-
MD5
3d64e74401d4479a0595f1fea72d4b7e
-
SHA1
e78a9780e965c563b50f355f7b77ce131af667b6
-
SHA256
06a931e21027555823d7b088b9ec98d394cc7fa7b05681c15693d992ff5730fc
-
SHA512
0d0262448d585b90f0cfd5ca839efb7cf70e2f19a61caf4ee85ded108548ba526abae27103591cabb65103d6564670eecb90bfe926f45cc25a370691effdad94
-
SSDEEP
12288:ywEyqS+KnjhoSoqcKHg+MASELny2XrWNYMzUW43YHb8GsWUroXVoSQj4hhOxON4y:yRyqSMqcWtX9fo78GgrJjqhOxORd
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a0000000233ac-6.dat acprotect behavioral2/files/0x0008000000023469-25.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5036 Free Ride Games.exe -
Loads dropped DLL 4 IoCs
pid Process 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 5036 Free Ride Games.exe 5036 Free Ride Games.exe 5036 Free Ride Games.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a0000000233ac-6.dat upx behavioral2/memory/2136-9-0x0000000010000000-0x0000000010060000-memory.dmp upx behavioral2/files/0x000b000000023404-13.dat upx behavioral2/memory/5036-22-0x0000000000400000-0x0000000000526000-memory.dmp upx behavioral2/files/0x0008000000023469-25.dat upx behavioral2/memory/5036-30-0x0000000010000000-0x0000000010075000-memory.dmp upx behavioral2/memory/5036-32-0x0000000010000000-0x0000000010075000-memory.dmp upx behavioral2/memory/5036-87-0x0000000000400000-0x0000000000526000-memory.dmp upx behavioral2/memory/5036-89-0x0000000010000000-0x0000000010075000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '708650'\"" Free Ride Games.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Free Ride Games.exe File opened (read-only) \??\B: Free Ride Games.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Free Ride Games.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Free Ride Games.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5036 Free Ride Games.exe 5036 Free Ride Games.exe 5036 Free Ride Games.exe 5036 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2136 wrote to memory of 5036 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 86 PID 2136 wrote to memory of 5036 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 86 PID 2136 wrote to memory of 5036 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 86 PID 2136 wrote to memory of 4952 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 88 PID 2136 wrote to memory of 4952 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 88 PID 2136 wrote to memory of 4952 2136 3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '708650' l 'Installer'"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:4952
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5764dda95f9699fa1a0dd55c0996c3a5d
SHA18c233aa3b15de9fea89b9570f145d8f8f30cb55a
SHA25645cde7d4536c60a2427e327da7c5c718e2bb37f3db5c8becf235b2e99fc8d438
SHA512d71b61c0c16ced9361a32ba10631bf74beb0a1e315d11a15dd7bb8212357383c7d52f81e824805ccd275d927fe24132c40292b70a58b4381eed78e43c9959f62
-
Filesize
422KB
MD50016829075e788b0f0a58538398da0be
SHA1305888e2dbeff5f2b45c9f80e01c59adbd4d67ee
SHA2563e1f616a633696f986d0292f802e695ac8a359b9da65820156973a0783a3dc69
SHA512db7f574a538f748e06bdfe5d13294364be4168adea2f0c3d01892c7c58f2e5281632a833241920f2c45a2a97302893a9deae1337c30c51bf9580ffa14c7dfb77
-
Filesize
157KB
MD55b7fa7e7ab61f1699bf095b01d6edbfe
SHA105c840c51a9e76dcea094e20d4f82705bfe1921b
SHA256dcf95de1ca38d4c2fd795b6f1c2a718c4079a0c458fc7fab93b105ed3f766be4
SHA5128ce39681160d62d8382a4ce67f08ec2f1db250bad5c66b9a5698419d94a8689cbafc8a3bb4e9203e38e101ecdc510de76e0d29529949efe224d04fea21fecd8b
-
Filesize
262B
MD58af78692347042934728ff14e54ae2de
SHA158434489f08791059f3b385b867adee99a05aaa7
SHA256fe04d46354386756d52f66762dee9dfe55c6b8d2c4a91d8a69acd457dc2d986e
SHA512e9501023d74c6a7339dad87679e74537049d0ffd642826987322635763fa75a809780bcf17a471c24bccbc3f70c5875472926bae6799977fc828038cf3a3ad49