1abd1f6860682516ea3b0c582ebbd7a890f9168bffaa9390dcbe7da3f8e20066

General

Target

fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe
Size

744KB
MD5

fa763de98c9c4f5c122c8c17a3adcd72
SHA1

aae6292651f02698d6a6403eff0c34432ec40197
SHA256

1abd1f6860682516ea3b0c582ebbd7a890f9168bffaa9390dcbe7da3f8e20066
SHA512

71a129057c205afe56b443c97fbdec0503bca18593f0d25a3102be29b048752658abbbedbeda8b39ae63496d37ccf7faa2046cac5e3b186499335087f6b0dfd0
SSDEEP

12288:qwEJqS+KnjhoSluqm5PO+MR7UzW5zJXsikZUYaYZ5yoSpPpgHzPToStu:qRJqSZuRY+eeWfXsbZbhuhaO

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000234b1-6.dat	acprotect
behavioral2/files/0x00070000000234b3-25.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	Free Ride Games.exe

Loads dropped DLL 4 IoCs

pid	Process
4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe
2532	Free Ride Games.exe
2532	Free Ride Games.exe
2532	Free Ride Games.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '693850'\""	Free Ride Games.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234b1-6.dat	upx
behavioral2/memory/4916-9-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/files/0x00070000000234b2-13.dat	upx
behavioral2/memory/2532-22-0x0000000000400000-0x000000000050E000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-25.dat	upx
behavioral2/memory/2532-27-0x0000000010000000-0x0000000010057000-memory.dmp	upx
behavioral2/memory/2532-30-0x0000000010000000-0x0000000010057000-memory.dmp	upx
behavioral2/memory/2532-32-0x0000000010000000-0x0000000010057000-memory.dmp	upx
behavioral2/memory/2532-81-0x0000000000400000-0x000000000050E000-memory.dmp	upx
behavioral2/memory/2532-82-0x0000000010000000-0x0000000010057000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Free Ride Games.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2532	Free Ride Games.exe
2532	Free Ride Games.exe
2532	Free Ride Games.exe
2532	Free Ride Games.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2532	4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe	82
PID 4916 wrote to memory of 2532	4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe	82
PID 4916 wrote to memory of 2532	4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe	82
PID 4916 wrote to memory of 3496	4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe	84
PID 4916 wrote to memory of 3496	4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe	84
PID 4916 wrote to memory of 3496	4916	fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa763de98c9c4f5c122c8c17a3adcd72_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
  "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDM?action=config&contentId=%d' p '143' c '693850' l 'Installer'"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll

Filesize
95KB

MD5
764dda95f9699fa1a0dd55c0996c3a5d

SHA1
8c233aa3b15de9fea89b9570f145d8f8f30cb55a

SHA256
45cde7d4536c60a2427e327da7c5c718e2bb37f3db5c8becf235b2e99fc8d438

SHA512
d71b61c0c16ced9361a32ba10631bf74beb0a1e315d11a15dd7bb8212357383c7d52f81e824805ccd275d927fe24132c40292b70a58b4381eed78e43c9959f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

Filesize
399KB

MD5
e0012b052a32dde705c69ac3a8da8518

SHA1
18d6e5288793f4c0d080cb91355bacb73bb0748f

SHA256
dcef4a564d9aea47ed63fd0ec3f47745265a68a7237a5339f214c86d7adccb00

SHA512
256ebd966c3fb8ba1805b36149791fc3a433e802a182dc32a00b933d80d6554f62fa1243898bfb429da61e96093eba35ad7036f24c9d618bd0ebf3795ba74e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

Filesize
127KB

MD5
50aa3a5dd4cb106982f45cfa4e65966e

SHA1
2a0b0091754e33bbc487cdc0e24d7445f4d43040

SHA256
019a4c5f53a4cce764d0a6e298967818991895e5e52f1887d05298805ae8676a

SHA512
c0f35a3c88ef001adbd36ec9362667e98ee8f3a768967f12166a4f2cc6eeac71b53d777515ce43ba586bf540c3af872e0853e92207eeb5232262131f4f27deec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
262B

MD5
99345d62a6c0fc6920118131b937b71e

SHA1
8f9359492ae15e8923919f0bdf79d9494454627d

SHA256
fad6ebb3a3666a2924f0c15d19287bba1d0fb8357df34e62dc4ad507a7bf3e0a

SHA512
20511e8854e4a6a68a199aa13211bee447a2f6f1f2dbe059d219cfe822d8c7f71671825424ce926155abc1f9af73777404b6930ddbebf0e69d2a3f445c133b69

Download Submit
memory/2532-22-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2532-27-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2532-30-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2532-32-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2532-81-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2532-82-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4916-9-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads