cce0735c0820e8cc71792af77d2a37389519bf9ce9eed96d720a771c82fdadd3

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe
Size

1.3MB
MD5

4804c63f98c3119ce2eb850c0aa0a8c0
SHA1

8a416c51f208c2f81fee4da6ea5bf96a3bfae526
SHA256

cce0735c0820e8cc71792af77d2a37389519bf9ce9eed96d720a771c82fdadd3
SHA512

6ce7b2194aaa79f18065e495c457a283a6ca6677c7d4f077781509560ea5d461dd0102bf831f800fc05a2230353d4f09cfdc9b620493b25f8848292a79a1cd7d
SSDEEP

24576:7utr5OUhjxMy9yya4HBn28+DtaTwWdER7YyYOHKFAZI9nT+uPdvCjKf5fgeUo:7uXNx9yya4hn/+DYFKV9YOHBZsrc45f3

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2408	GamePlayLabsInstaller.exe
2696	Zugo.exe
3004	Zugo.exe
2664	AskSearchAsst.exe

Loads dropped DLL 62 IoCs

pid	Process
1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe
1128	regsvr32.exe
2408	GamePlayLabsInstaller.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2696	Zugo.exe
2408	GamePlayLabsInstaller.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
2664	AskSearchAsst.exe
2664	AskSearchAsst.exe
2664	AskSearchAsst.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe
3004	Zugo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\ = "GamePlayLabsBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GamePlayLabs\BHO.dll	GamePlayLabsInstaller.exe
File opened for modification	C:\Program Files (x86)\GamePlayLabs\setup.ini	regsvr32.exe
File created	C:\Program Files (x86)\GamePlayLabs\gplplugin.crx	GamePlayLabsInstaller.exe
File created	C:\Program Files (x86)\GamePlayLabs\Uninstaller.exe	GamePlayLabsInstaller.exe
File created	C:\Program Files (x86)\GamePlayLabs\setup.ini	GamePlayLabsInstaller.exe
File opened for modification	C:\Program Files (x86)\GamePlayLabs\setup.ini	GamePlayLabsInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00080000000164cf-22.dat	nsis_installer_1
behavioral1/files/0x00080000000164cf-22.dat	nsis_installer_2
behavioral1/files/0x00050000000193c3-250.dat	nsis_installer_1
behavioral1/files/0x00050000000193c3-250.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	Zugo.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Start Page Restore = "http://go.microsoft.com/fwlink/?LinkId=69157"	Zugo.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83DD6061-425A-11EF-9FC9-7AEB201C29E3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://iws.asksearch.com/?cfg=2-347-0-0"	Zugo.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\ = "IGamePlayLabsBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO\CLSID\ = "{984A9162-8891-4D19-8CFE-17648BB4E1EC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\ = "GamePlayLabsBHO Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\VersionIndependentProgID\ = "BHO.GamePlayLabsBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\TypeLib\ = "{199C34A4-5436-403F-A250-219E16672570}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO.1\CLSID\ = "{984A9162-8891-4D19-8CFE-17648BB4E1EC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GamePlayLabs"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{65C994A2-C65A-4A20-BA92-AADAFC0DCE49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\0\win32\ = "C:\\Program Files (x86)\\GamePlayLabs\\BHO.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\ = "IGamePlayLabsBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO.1\ = "GamePlayLabsBHO Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO\ = "GamePlayLabsBHO Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO.DLL\AppID = "{65C994A2-C65A-4A20-BA92-AADAFC0DCE49}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO\CurVer\ = "BHO.GamePlayLabsBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\TypeLib\ = "{199C34A4-5436-403F-A250-219E16672570}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\ProgID\ = "BHO.GamePlayLabsBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\TypeLib\ = "{199C34A4-5436-403F-A250-219E16672570}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.GamePlayLabsBHO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\InprocServer32\ = "C:\\Program Files (x86)\\GamePlayLabs\\BHO.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{65C994A2-C65A-4A20-BA92-AADAFC0DCE49}\ = "BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2408	GamePlayLabsInstaller.exe
2408	GamePlayLabsInstaller.exe
2408	GamePlayLabsInstaller.exe
3004	Zugo.exe
3004	Zugo.exe
2664	AskSearchAsst.exe
2664	AskSearchAsst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	GamePlayLabsInstaller.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1696	iexplore.exe
1696	iexplore.exe
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2408	1368	4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe	30
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 1128	2408	GamePlayLabsInstaller.exe	33
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 2696	2408	GamePlayLabsInstaller.exe	34
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 2408 wrote to memory of 3004	2408	GamePlayLabsInstaller.exe	36
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 3004 wrote to memory of 2664	3004	Zugo.exe	38
PID 2408 wrote to memory of 1696	2408	GamePlayLabsInstaller.exe	39
PID 2408 wrote to memory of 1696	2408	GamePlayLabsInstaller.exe	39
PID 2408 wrote to memory of 1696	2408	GamePlayLabsInstaller.exe	39
PID 2408 wrote to memory of 1696	2408	GamePlayLabsInstaller.exe	39
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40
PID 1696 wrote to memory of 2064	1696	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4804c63f98c3119ce2eb850c0aa0a8c0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GamePlayLabs\BHO.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zugo.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zugo.exe /VALIDATETOOLBAR
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zugo.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zugo.exe /DEFAULTSTART /DEFAULTSEARCH /TOOLBAR /CHANNEL="4ca1062493dbdbb915000000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\AskSearchAsst.exe
      C:\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\AskSearchAsst.exe /S
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2664
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gameplaylabs.com/newuser/0b857b27343841f8a27a43f96d095be3/?pid=0&sub_id=a-0-2895-8700-6917-0-223-0&source_id=4ca1062493dbdbb915000000&iid=cc-silent&uzid=8700&subid=02_8772447_a1404d42-36c7-437c-8384-c1e3782721a7-146527
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GamePlayLabs\BHO.dll

Filesize
423KB

MD5
3a3e9ac507c96321e3b9fd8488f63efe

SHA1
0e28cd1e5b640e58171e03af73381e8fbed679a7

SHA256
693f137ef58176fd8393a98e43155a2017672bda6b884dd747b5cdd1a7e2a6cf

SHA512
91073b44cc407d9c584ed8c16f73a9cf518c149f9cdbb55ac4146e23c12473f4eb1c2d720531de7c4a246fcb4b7c59a1320dc3458f4efdf3850648036932bba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e72964d5929dc2505a0758b1e3f5f5e

SHA1
9e81361adeb7729aded8a434b105a8c83c2bd7bc

SHA256
c4d6a2b289d395686914d54c61744c7be0215b9f3739593dcef1e90b7ba0e502

SHA512
1e3b9ea677e3bb6ffc8bda14748c2168634ff495124c76e5299dfff547106534ee2fc38406848f26398bd299cd5ca836141f9682c91f7994d93a724c96ea1abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99cea58feaf3d41fbe49e6bd7a3e0218

SHA1
e4df1efc1fe83be812cd6526c222dcf4e1b7069e

SHA256
7282fbcf864693ecf856ad509cb881cbafca6b8275b20c1dff32366346913816

SHA512
fd963cf27e97d293c2adae7c425c7467e7c5e73d3fdc50e68bf7fe64d9410b6d58e86d4b069ff7576dd18b24e64d3dfbfb9e9c7a1a41b78bce92dcbb638414fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9060b2f8129997c17a4507e461fd7c44

SHA1
e172988a171bfee9d2d376d446ab0a94ae966189

SHA256
4b8eaf1eb167bbf5ed2a6642f4750035219653b17527af1d978b15156f9ed27d

SHA512
d6947b2ab885e3bb52d0dae75d10660c4b5068fb36f8fb0abd5b7446b221468500e02ee3c702dcad8e6e0428f3c86ff7495dffb2426d1443a5c5793384df87c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83e1c6ae6f9f00fe27c64cdff800dac8

SHA1
d0cdeb0fa6c7cd9a316af026e99c7b3bddbd955a

SHA256
7ed42722bcbf0507463094af796d4fa4a15319896fea44673a9eb80e6fc911a7

SHA512
344a13a71a23aa56428021608b32b38dbba6d0b397e657c2f872a41bf0c00d839b9523c02f95466747a568546957409e7717bee07c95fc836eb2f3f0e8c274db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b3a81cac76ea886318f8aeba7addfe

SHA1
d918002967e1141a5c4e66d19b3c89e4bfd13be9

SHA256
31f35271ac6a3b743695507c091fd3e13b779b2a7c33d07c64e25024f322f108

SHA512
06c3198e36d5d6d2a9fa8b2ee6c689e8e2c4f800042bb7be4364bd80282bfa54bf12e5ae00002379af67c4ebea7759007ee39ec901923b5b4cb7120a47f17b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6962256c5fb1a494e3bc1fe1d79b92c2

SHA1
e3f780c3ceebdf4d6564b6a60407ba85640afcc8

SHA256
e129b1075f09828548d1db8c66a512350d77b8bce3ce9ddba102978092695c54

SHA512
b0bb05b62041cdfad7a74196dea8bb5584d51e91fdf36319ac10b9030ae95d788800945cd1e042ec554ef51e8bfc30c83c7201264f2ec41f3cdd1c53f85d0099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca5b2c63d0fcfdb190b279384b0fa06

SHA1
717eae233d446047885de9f4be7196cb0af22ef8

SHA256
8f0e4aba05f03b67ca0ffad649f2bc9e0e3658b5fa54fa2f1e60adfd78fd0989

SHA512
4617a824f4970414393afe39eb71e36e1c40ccd71f7b3f584dcb8a434a8755624476428afb23b5df7f31035827d9bdb0ce25c8fe0ad753db30ddcf0b22efbc3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e28988ca83df344c121425004218411

SHA1
b076b90bce2eac3bc21bb8ba732497e42c27759a

SHA256
6c8eb11188041151d363ecfbc4f02f4c05142febb37ab392c405fa51a6264cf8

SHA512
9233911e7db972b4bf182aca6ef4bae9a3f808a37786c44f785071dffde5f4948af36890a6fdc6997b8da147baf4272e29c1962c1fb8be3c3ce99cddbae80d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15c4ab6551fec71d0518fb130c5150b3

SHA1
a89d2ee87a4b75c2dbb63e5a161e892664386631

SHA256
33c684961d5bab8eb8f83d372d9ccee082390a0f0fe65b669c4855a36c880fb3

SHA512
db2efcf4c0e99bef50f1e32ec881a088a8f13f1674392d7eb19f5e5261e3aa429eabf508318e1cf476f72c8dbeb1af99dd14178a1db8d356e7344293ccc78920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E10.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
1.4MB

MD5
b758b6f3d5ab89eb6bfb722d90bd42ed

SHA1
47b1cd9e370c0af4facc9a56e21cfafaa7bff987

SHA256
7bf24225139094972f264af39ccef687dfe14251e9e6895e84d10242410229ce

SHA512
c4c693eed1f2a607c117401d0af4be71e95783064a291b417c5951b391847cad0eff51be66ee4fb7a0c259b7791385e809cf471c217a1ee4f972a4a0eff892fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
182B

MD5
876da8948c9aea2c06f04cea882e2d53

SHA1
696450e2b91d96ba890c86dc209ab6dd3d150c5c

SHA256
c979c8e04e795822d6692d0e3565d4caf2993aad79dbc19309815c4708ad1906

SHA512
2734c408af519dd0056897dd1a6797e7513941c727914488d4ab5a1a77d5b13d1609fbb9c4aeec348d16601fc88fac1af9e2dd2fdb0154d57f96b19df868dbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EB1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\AskSearchAsst.ini

Filesize
443B

MD5
d6c3a5055a2de386a40b95490d77d136

SHA1
5fdd6e6c4fc26e08cbe6d7d0df34c5f56f5fa6b9

SHA256
0efdad5954596c5464fb6e9c4b9f0e95f00d659b8353010572261ac74febbbad

SHA512
0bd0806f39ba2fe455c66a14953af47cede2c9f0afa050bf8c3ec7075632cc01ec8a9e963c748aa0800d3053c4f1412930e3f033cb776a75754ca1b9d60ec404

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\linker.dll

Filesize
6KB

MD5
8450b29ee8d592c208ba1aaf6ee50267

SHA1
75096da057bc85cef63bb0eec168652ea75cf618

SHA256
53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

SHA512
d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Zugo.exe

Filesize
447KB

MD5
ef058bc2bb782757cd455555b3c08b46

SHA1
fad8905117a634d1e6bbbbd8fce8b505d5fad1ec

SHA256
7d18cb6ba39152a895adef8ef6498d127a56cec22203f9193334bf2811d076a6

SHA512
45dbc7f68e34078df99821656a295f236c6ebc7d0bd77665e80f58de75cce98cb285fa17dbaa9c989bb2cce3a4d5ebd76ec726e865887b4a6ba445888973c919

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\AskSearchAsst.exe

Filesize
106KB

MD5
28387db3bfa8ed7f1ba742b02b0c09d8

SHA1
517e2757282999db9cf823c2d7dedfa07342d5ad

SHA256
6e314a62cb2e33d5d5df9720ad8c0b5b466c2cc4a6fd12eeb5b633b8c72df3ba

SHA512
b6ea8554e6c8c614fe065e9915cfe0a8832b2f55bc30906f2ad8151911c70fbc37f8e6f456897c0409e28f10338bbc545f529feb91b54821dd867f5c749b7767

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\nso6F09.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nso6F09.tmp\UserInfo.dll

Filesize
4KB

MD5
1e8e11f465afdabe97f529705786b368

SHA1
ea42bed65df6618c5f5648567d81f3935e70a2a0

SHA256
7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b

SHA512
16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFF28.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFF28.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFF28.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFF28.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFF28.tmp\inetc.dll

Filesize
20KB

MD5
2f94245152dbd233e248909f9c01c578

SHA1
ab4e5879c001b36a2f9ff214946599fd015edda9

SHA256
4c4d85eb9725fc7fade03467990e3dd9671c29a7870c97e69babc2cb3c9adef9

SHA512
f92830de27d6663be5e0df9e32cd88732bc7ee93b14c1ded65258c325d22436400801aff1124f40400c6c3b3c16e71deb08436714716f3888d13a8a6b6a32231

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFF28.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
memory/2664-271-0x0000000000510000-0x0000000000513000-memory.dmp

Filesize
12KB

Download
memory/2696-38-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/3004-251-0x0000000000840000-0x0000000000843000-memory.dmp

Filesize
12KB

Download
memory/3004-152-0x0000000000610000-0x000000000062A000-memory.dmp

Filesize
104KB

Download