06a931e21027555823d7b088b9ec98d394cc7fa7b05681c15693d992ff5730fc

Analysis

max time kernel
142s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
Size

796KB
MD5

3d64e74401d4479a0595f1fea72d4b7e
SHA1

e78a9780e965c563b50f355f7b77ce131af667b6
SHA256

06a931e21027555823d7b088b9ec98d394cc7fa7b05681c15693d992ff5730fc
SHA512

0d0262448d585b90f0cfd5ca839efb7cf70e2f19a61caf4ee85ded108548ba526abae27103591cabb65103d6564670eecb90bfe926f45cc25a370691effdad94
SSDEEP

12288:ywEyqS+KnjhoSoqcKHg+MASELny2XrWNYMzUW43YHb8GsWUroXVoSQj4hhOxON4y:yRyqSMqcWtX9fo78GgrJjqhOxORd

Score

7^/10

bootkit persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a0000000233ac-6.dat	acprotect
behavioral2/files/0x0008000000023469-25.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5036	Free Ride Games.exe

Loads dropped DLL 4 IoCs

pid	Process
2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
5036	Free Ride Games.exe
5036	Free Ride Games.exe
5036	Free Ride Games.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a0000000233ac-6.dat	upx
behavioral2/memory/2136-9-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/files/0x000b000000023404-13.dat	upx
behavioral2/memory/5036-22-0x0000000000400000-0x0000000000526000-memory.dmp	upx
behavioral2/files/0x0008000000023469-25.dat	upx
behavioral2/memory/5036-30-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral2/memory/5036-32-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral2/memory/5036-87-0x0000000000400000-0x0000000000526000-memory.dmp	upx
behavioral2/memory/5036-89-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '708650'\""	Free Ride Games.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	Free Ride Games.exe
File opened (read-only)	\??\B:	Free Ride Games.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Free Ride Games.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Free Ride Games.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Free Ride Games.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5036	Free Ride Games.exe
5036	Free Ride Games.exe
5036	Free Ride Games.exe
5036	Free Ride Games.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 5036	2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe	86
PID 2136 wrote to memory of 5036	2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe	86
PID 2136 wrote to memory of 5036	2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe	86
PID 2136 wrote to memory of 4952	2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe	88
PID 2136 wrote to memory of 4952	2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe	88
PID 2136 wrote to memory of 4952	2136	3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d64e74401d4479a0595f1fea72d4b7e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
  "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '708650' l 'Installer'"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll

Filesize
95KB

MD5
764dda95f9699fa1a0dd55c0996c3a5d

SHA1
8c233aa3b15de9fea89b9570f145d8f8f30cb55a

SHA256
45cde7d4536c60a2427e327da7c5c718e2bb37f3db5c8becf235b2e99fc8d438

SHA512
d71b61c0c16ced9361a32ba10631bf74beb0a1e315d11a15dd7bb8212357383c7d52f81e824805ccd275d927fe24132c40292b70a58b4381eed78e43c9959f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

Filesize
422KB

MD5
0016829075e788b0f0a58538398da0be

SHA1
305888e2dbeff5f2b45c9f80e01c59adbd4d67ee

SHA256
3e1f616a633696f986d0292f802e695ac8a359b9da65820156973a0783a3dc69

SHA512
db7f574a538f748e06bdfe5d13294364be4168adea2f0c3d01892c7c58f2e5281632a833241920f2c45a2a97302893a9deae1337c30c51bf9580ffa14c7dfb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

Filesize
157KB

MD5
5b7fa7e7ab61f1699bf095b01d6edbfe

SHA1
05c840c51a9e76dcea094e20d4f82705bfe1921b

SHA256
dcf95de1ca38d4c2fd795b6f1c2a718c4079a0c458fc7fab93b105ed3f766be4

SHA512
8ce39681160d62d8382a4ce67f08ec2f1db250bad5c66b9a5698419d94a8689cbafc8a3bb4e9203e38e101ecdc510de76e0d29529949efe224d04fea21fecd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
262B

MD5
8af78692347042934728ff14e54ae2de

SHA1
58434489f08791059f3b385b867adee99a05aaa7

SHA256
fe04d46354386756d52f66762dee9dfe55c6b8d2c4a91d8a69acd457dc2d986e

SHA512
e9501023d74c6a7339dad87679e74537049d0ffd642826987322635763fa75a809780bcf17a471c24bccbc3f70c5875472926bae6799977fc828038cf3a3ad49

Download Submit
memory/2136-9-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/5036-22-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5036-27-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/5036-30-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/5036-32-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/5036-87-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5036-89-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads