5eb78224790eaafcb32bacbb09c9f90b2f3e924e422903967e7c5a172fc1690c

General

Target

41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe
Size

408KB
MD5

41f0f5265cc1ca105c5addef3e51da02
SHA1

3f698bda90e5007f97fa00a148ab8d341c9b4752
SHA256

5eb78224790eaafcb32bacbb09c9f90b2f3e924e422903967e7c5a172fc1690c
SHA512

ad316ab119a9650d78bf6dd4c7def93b5b0bd28f547781dca00e5edc89d712f2e30275aa5d502a72ac39011bb31a221b69d28f0cb5dad3cbe69e18432f9f0e47
SSDEEP

12288:sutrzh9xOXktnCeUs/cVGB8JZa+zXuTdfYbKc:sutr5OUea+C2bT

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002340f-20.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4160	GamePlayLabsInstaller.exe

Loads dropped DLL 13 IoCs

pid	Process
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe
4160	GamePlayLabsInstaller.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002340f-20.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002340b-6.dat	nsis_installer_1
behavioral2/files/0x000700000002340b-6.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4160	3476	41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe	85
PID 3476 wrote to memory of 4160	3476	41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe	85
PID 3476 wrote to memory of 4160	3476	41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41f0f5265cc1ca105c5addef3e51da02_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
214KB

MD5
b2677ec349f992cb2ecc859d450ec471

SHA1
62498e000a3242d08643d6b2845c851500c5ef91

SHA256
61bc694f692913ef11fbee0f17d9c8494ff0bdbb484379c3c823898a57f3bd7b

SHA512
01ce08de0fa0b029dc61250b3e7498e89dd1511ced999956167f82842fbadc18b465b7da8d8e7f320419aa8221ae74c11a8faa89f84d77f0c46df5eeb6c4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
131B

MD5
c49a5c472a1611f65f66f79b5559d9eb

SHA1
fbf423986490944a0eb43414f3f067a815cbea4f

SHA256
f04ace532c03350c4ae7a9cc72df4523ab02726262871b05963508e7a8d976c2

SHA512
b5d167e5fcc7cf3febad4d0447b532ae5c82c34785575de3a19fa87f0c503311628924512da205c4c4d0dcd58968f7e57f466176cecc6c0766ad9a9ba763eb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E75.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E75.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E75.tmp\inetc.dll

Filesize
20KB

MD5
09a8214787e02694a0c6c815c5867e39

SHA1
33208d636c19c4a781c85d4b2a0644138202696e

SHA256
6c96098405c480ae8901fe779e4515f5bac45fab5201e03c1b039b09d5fc2d33

SHA512
04fee33a364710933ae948b29e1a455ed0feff6fcdda113a67735d39d0603bcbba9a6136ac0ef3c6988812a8d6d63cd0badaa491d80b0eb6464acba53cd76d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E75.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E75.tmp\nsisXML.dll

Filesize
12KB

MD5
aaf5a62051c11db6aa1a651bb9c295dd

SHA1
75413fd14a67a468578c9d8fbd1c0a810c5044d0

SHA256
55ec0f7d4c14b8b36e18203dad5604d066979e18017207f1165f17691845b161

SHA512
f35a6c4e133d5dd396cc326f7f7365483de0477629e290a91b2200253cf7bb39e0d8ab700eda66d88c7b5568cfac069d4a7b277400ad776d64611a3723362466

Download Submit
memory/4160-26-0x0000000003150000-0x0000000003159000-memory.dmp

Filesize
36KB

Download
memory/4160-28-0x0000000003150000-0x0000000003159000-memory.dmp

Filesize
36KB

Download
memory/4160-64-0x0000000003150000-0x0000000003159000-memory.dmp

Filesize
36KB

Download
memory/4160-63-0x0000000003150000-0x0000000003159000-memory.dmp

Filesize
36KB

Download
memory/4160-65-0x0000000003A40000-0x0000000003A49000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing