Analysis

  • max time kernel
    142s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 12:33

General

  • Target

    3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe

  • Size

    796KB

  • MD5

    3d64e74401d4479a0595f1fea72d4b7e

  • SHA1

    e78a9780e965c563b50f355f7b77ce131af667b6

  • SHA256

    06a931e21027555823d7b088b9ec98d394cc7fa7b05681c15693d992ff5730fc

  • SHA512

    0d0262448d585b90f0cfd5ca839efb7cf70e2f19a61caf4ee85ded108548ba526abae27103591cabb65103d6564670eecb90bfe926f45cc25a370691effdad94

  • SSDEEP

    12288:ywEyqS+KnjhoSoqcKHg+MASELny2XrWNYMzUW43YHb8GsWUroXVoSQj4hhOxON4y:yRyqSMqcWtX9fo78GgrJjqhOxORd

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
      "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '708650' l 'Installer'"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:5036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
      2⤵
        PID:4952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll

      Filesize

      95KB

      MD5

      764dda95f9699fa1a0dd55c0996c3a5d

      SHA1

      8c233aa3b15de9fea89b9570f145d8f8f30cb55a

      SHA256

      45cde7d4536c60a2427e327da7c5c718e2bb37f3db5c8becf235b2e99fc8d438

      SHA512

      d71b61c0c16ced9361a32ba10631bf74beb0a1e315d11a15dd7bb8212357383c7d52f81e824805ccd275d927fe24132c40292b70a58b4381eed78e43c9959f62

    • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

      Filesize

      422KB

      MD5

      0016829075e788b0f0a58538398da0be

      SHA1

      305888e2dbeff5f2b45c9f80e01c59adbd4d67ee

      SHA256

      3e1f616a633696f986d0292f802e695ac8a359b9da65820156973a0783a3dc69

      SHA512

      db7f574a538f748e06bdfe5d13294364be4168adea2f0c3d01892c7c58f2e5281632a833241920f2c45a2a97302893a9deae1337c30c51bf9580ffa14c7dfb77

    • C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

      Filesize

      157KB

      MD5

      5b7fa7e7ab61f1699bf095b01d6edbfe

      SHA1

      05c840c51a9e76dcea094e20d4f82705bfe1921b

      SHA256

      dcf95de1ca38d4c2fd795b6f1c2a718c4079a0c458fc7fab93b105ed3f766be4

      SHA512

      8ce39681160d62d8382a4ce67f08ec2f1db250bad5c66b9a5698419d94a8689cbafc8a3bb4e9203e38e101ecdc510de76e0d29529949efe224d04fea21fecd8b

    • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

      Filesize

      262B

      MD5

      8af78692347042934728ff14e54ae2de

      SHA1

      58434489f08791059f3b385b867adee99a05aaa7

      SHA256

      fe04d46354386756d52f66762dee9dfe55c6b8d2c4a91d8a69acd457dc2d986e

      SHA512

      e9501023d74c6a7339dad87679e74537049d0ffd642826987322635763fa75a809780bcf17a471c24bccbc3f70c5875472926bae6799977fc828038cf3a3ad49

    • memory/2136-9-0x0000000010000000-0x0000000010060000-memory.dmp

      Filesize

      384KB

    • memory/5036-22-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

    • memory/5036-27-0x0000000010000000-0x0000000010075000-memory.dmp

      Filesize

      468KB

    • memory/5036-30-0x0000000010000000-0x0000000010075000-memory.dmp

      Filesize

      468KB

    • memory/5036-32-0x0000000010000000-0x0000000010075000-memory.dmp

      Filesize

      468KB

    • memory/5036-87-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

    • memory/5036-89-0x0000000010000000-0x0000000010075000-memory.dmp

      Filesize

      468KB