Overview
overview
8Static
static
6drive-down...01.zip
windows7-x64
1drive-down...01.zip
windows10-2004-x64
1BlueStacks...s1.exe
windows7-x64
4BlueStacks...s1.exe
windows10-2004-x64
5Custom Hud...YT.png
windows7-x64
1Custom Hud...YT.png
windows10-2004-x64
3FREEFIRE V...YT.zip
windows7-x64
1FREEFIRE V...YT.zip
windows10-2004-x64
1Android/ob...th.jar
windows7-x64
1Android/ob...th.jar
windows10-2004-x64
1com.dts.fr...th.apk
android-9-x86
8icon.png
windows7-x64
3icon.png
windows10-2004-x64
3manifest.json
windows7-x64
3manifest.json
windows10-2004-x64
3com.dts.fr...th.cfg
windows7-x64
3com.dts.fr...th.cfg
windows10-2004-x64
3Analysis
-
max time kernel
102s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
drive-download-20241117T030056Z-001.zip
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
drive-download-20241117T030056Z-001.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Custom Hud By DANI YT.png
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Custom Hud By DANI YT.png
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
FREEFIRE V7A DANI YT.zip
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
FREEFIRE V7A DANI YT.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Android/obb/com.dts.freefireth/main.2019117682.com.dts.freefireth.jar
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Android/obb/com.dts.freefireth/main.2019117682.com.dts.freefireth.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
com.dts.freefireth.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral12
Sample
icon.png
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
icon.png
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
manifest.json
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
manifest.json
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
com.dts.freefireth.cfg
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
com.dts.freefireth.cfg
Resource
win10v2004-20241007-en
General
-
Target
com.dts.freefireth.cfg
-
Size
87KB
-
MD5
bb14a9894741577f5b3ca89131f147c4
-
SHA1
8edd84bb182e317967cbd6a77c671ea7dd87e165
-
SHA256
001a44645509bb00700bff6b9bac91f001128bcd3a15be5c6ea07ba805bdab7c
-
SHA512
df6c99180a7321a3caf45bb378a5e76ae2f97479fc526b2966f184154a578ba1e9d859c2d1da1dc9fe2f1b98cfc9313b91ecf6db0b8b22f2510fd35bd3679224
-
SSDEEP
384:l3BHPDls2ZGW8lXbLGsDWaWRLmCG9icmzhR3BH1Cls2ZyW8lXbLGsDWsea4LmCGb:5M6nu0gdqY9dUws8s9ydefZ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2560 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2560 AcroRd32.exe 2560 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2920 2668 cmd.exe 31 PID 2668 wrote to memory of 2920 2668 cmd.exe 31 PID 2668 wrote to memory of 2920 2668 cmd.exe 31 PID 2920 wrote to memory of 2560 2920 rundll32.exe 32 PID 2920 wrote to memory of 2560 2920 rundll32.exe 32 PID 2920 wrote to memory of 2560 2920 rundll32.exe 32 PID 2920 wrote to memory of 2560 2920 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d5e8af9a71c091cecabdc9e2e58346ad
SHA15a5cf1eca9ad70ae07370705952850faf87dc734
SHA25610fa0fa325fd8a63ffb0c8af42a79974ef709504ca4ce50cbdb14d5afe2d7d54
SHA512e6ef908ee5b15de895fa2d69ba5d1eb494124378944d998b8b72c58dd0990e53f64427c546a194f2893dac56efa732f7a9e9684d13949bf90995ec1f5c1d999a