9183b8178cc8412a505fdd0a3209afba89e67e388fef51c222f20f20d483029d

Analysis

max time kernel
94s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
Size

73KB
MD5

166480b160f6013cbc67e8c1dc7a937b
SHA1

6488c38bbf570691456f0639039138ca4fbd5b48
SHA256

9183b8178cc8412a505fdd0a3209afba89e67e388fef51c222f20f20d483029d
SHA512

58f5f61ca47c0374b58251e60a38d672aa17a748e7c8993e794bde89351e839be33a33b9ff4b8e268ab62c0cdae9e19df5655d4e1924573b8d1920262cd9916d
SSDEEP

1536:KCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRH:KCaZ2Yrb0VTXJYWEsCGuiN

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSNGames.exeAdminWorker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	MSNGames.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	AdminWorker.exe

Executes dropped EXE 9 IoCs

Processes:

MSNGamesSetup.exeInstGameInfoHelperMSN.exeAdminWorker.exeAdminWorker.exeiWinTrusted.exeMSNGames.exeiWinTrusted.exeAdminWorker.exeiWinTrusted.exe

pid	process
2956	MSNGamesSetup.exe
1736	InstGameInfoHelperMSN.exe
4888	AdminWorker.exe
2232	AdminWorker.exe
4940	iWinTrusted.exe
2236	MSNGames.exe
1536	iWinTrusted.exe
5028	AdminWorker.exe
5000	iWinTrusted.exe

Loads dropped DLL 9 IoCs

Processes:

166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exeMSNGamesSetup.exe

pid	process
1500	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
1500	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
1500	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
2956	MSNGamesSetup.exe
2956	MSNGamesSetup.exe
2956	MSNGamesSetup.exe
2956	MSNGamesSetup.exe
2956	MSNGamesSetup.exe
2956	MSNGamesSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MSNGames.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSNGames.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSNGames.exe

Drops file in Program Files directory 64 IoCs

Processes:

MSNGamesSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\MSN Games\pages\alert32x32.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\maintenance.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ar.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\sk.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\te.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\alert32x32.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\logo.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\ous-promo-banner.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\zh-CN.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\WebUpdater.bmp	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\logo.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\logo-invis.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\misc\blue-bottom-triangle.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\scripts\popups.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\button_click.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\mr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ms.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\th.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\natives_blob.bin	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\buttons\close-blue-28.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\slidebackin.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\pt-BR.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ta.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\WebUpdater.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\success.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\hi.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ml.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\libcef.dll	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\styles\disconnected-upsell.css	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\download_completed.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\hr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ja.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\end.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\divider.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\es-419.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\sl.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\common\header-small-bg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\he.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef_extensions.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\page-header-small-bg.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\nb.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\AdminWorker.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\start.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\pt-PT.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\buttons\yesiwantabackupcd-orange-197.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan3.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\animation.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\MSNGames.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\tr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\error.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-bg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\expired.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\open.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\css\offline.css	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\es.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\product\feature.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\iwin_logo.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\offlineBg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ro.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\zh-TW.pak	MSNGamesSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

iWinTrusted.exe166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exeInstGameInfoHelperMSN.exeAdminWorker.exeAdminWorker.exeiWinTrusted.exeMSNGames.exeiWinTrusted.exeMSNGamesSetup.exeAdminWorker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstGameInfoHelperMSN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSNGames.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSNGamesSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

MSNGames.exeMSNGamesSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\IESettingSync	MSNGames.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	MSNGames.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MSNGamesSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000"	MSNGamesSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	MSNGames.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	MSNGames.exe

Modifies registry class 52 IoCs

Processes:

iWinTrusted.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games"	iWinTrusted.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MSNGames.exe

pid process

2236 MSNGames.exe
2236 MSNGames.exe
2236 MSNGames.exe
2236 MSNGames.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1608 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1608 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

MSNGames.exeiWinTrusted.exeAdminWorker.exeiWinTrusted.exe

pid process

2236 MSNGames.exe
2236 MSNGames.exe
1536 iWinTrusted.exe
5028 AdminWorker.exe
5000 iWinTrusted.exe
2236 MSNGames.exe
2236 MSNGames.exe
2236 MSNGames.exe

pid	process
2236	MSNGames.exe
2236	MSNGames.exe
2236	MSNGames.exe
2236	MSNGames.exe

description	pid	process
Token: 33	1608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1608	AUDIODG.EXE

pid	process
2236	MSNGames.exe
2236	MSNGames.exe
1536	iWinTrusted.exe
5028	AdminWorker.exe
5000	iWinTrusted.exe
2236	MSNGames.exe
2236	MSNGames.exe
2236	MSNGames.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exeMSNGamesSetup.exeMSNGames.exeAdminWorker.exe

description	pid	process	target process
PID 1500 wrote to memory of 2956	1500	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 1500 wrote to memory of 2956	1500	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 1500 wrote to memory of 2956	1500	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2956 wrote to memory of 1736	2956	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2956 wrote to memory of 1736	2956	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2956 wrote to memory of 1736	2956	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2956 wrote to memory of 4888	2956	MSNGamesSetup.exe	AdminWorker.exe
PID 2956 wrote to memory of 4888	2956	MSNGamesSetup.exe	AdminWorker.exe
PID 2956 wrote to memory of 4888	2956	MSNGamesSetup.exe	AdminWorker.exe
PID 2956 wrote to memory of 2232	2956	MSNGamesSetup.exe	AdminWorker.exe
PID 2956 wrote to memory of 2232	2956	MSNGamesSetup.exe	AdminWorker.exe
PID 2956 wrote to memory of 2232	2956	MSNGamesSetup.exe	AdminWorker.exe
PID 2956 wrote to memory of 4940	2956	MSNGamesSetup.exe	iWinTrusted.exe
PID 2956 wrote to memory of 4940	2956	MSNGamesSetup.exe	iWinTrusted.exe
PID 2956 wrote to memory of 4940	2956	MSNGamesSetup.exe	iWinTrusted.exe
PID 2956 wrote to memory of 2236	2956	MSNGamesSetup.exe	MSNGames.exe
PID 2956 wrote to memory of 2236	2956	MSNGamesSetup.exe	MSNGames.exe
PID 2956 wrote to memory of 2236	2956	MSNGamesSetup.exe	MSNGames.exe
PID 2236 wrote to memory of 1536	2236	MSNGames.exe	iWinTrusted.exe
PID 2236 wrote to memory of 1536	2236	MSNGames.exe	iWinTrusted.exe
PID 2236 wrote to memory of 1536	2236	MSNGames.exe	iWinTrusted.exe
PID 2236 wrote to memory of 5028	2236	MSNGames.exe	AdminWorker.exe
PID 2236 wrote to memory of 5028	2236	MSNGames.exe	AdminWorker.exe
PID 2236 wrote to memory of 5028	2236	MSNGames.exe	AdminWorker.exe
PID 5028 wrote to memory of 5000	5028	AdminWorker.exe	iWinTrusted.exe
PID 5028 wrote to memory of 5000	5028	AdminWorker.exe	iWinTrusted.exe
PID 5028 wrote to memory of 5000	5028	AdminWorker.exe	iWinTrusted.exe

C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe
  C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe
    "C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Program Files (x86)\MSN Games\AdminWorker.exe
    "C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Program Files (x86)\MSN Games\AdminWorker.exe
    "C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
    "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4940
- - C:\Program Files (x86)\MSN Games\MSNGames.exe
    "C:\Program Files (x86)\MSN Games\MSNGames.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
      "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1536
  - - C:\Program Files (x86)\MSN Games\AdminWorker.exe
      "C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
        
        "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSN Games\AdminWorker.exe

Filesize
617KB

MD5
6772fdec98b776314724f63be2f657b3

SHA1
6014eb84c278072a501790a9be7c061156c4b824

SHA256
8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed

SHA512
0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

Download Submit
C:\Program Files (x86)\MSN Games\MSNGames.exe

Filesize
10.7MB

MD5
a723f73cafced792d6b908c70368aa5e

SHA1
76725a966bb2f0151f9cbbd7ef41b4aa59255ca3

SHA256
79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c

SHA512
92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

Download Submit
C:\Program Files (x86)\MSN Games\WebUpdater.bmp

Filesize
47KB

MD5
3bef430235c592989ef45d64b8995fda

SHA1
0d99277cdeec4845540bcf456531b57e0e939cdd

SHA256
624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d

SHA512
7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

Download Submit
C:\Program Files (x86)\MSN Games\WebUpdater.exe

Filesize
671KB

MD5
52eaaf6ea657484ccb5cc429c13d7035

SHA1
888fd64b7a242abd336556c0c2c302f6a3dc7cca

SHA256
af3b16498f5afdb202b0a23ff878fe7a8f63161f7eaa715ea3b45a71fbfa63fe

SHA512
43f0774b5e1efed45615743e5fc2396a4e19f74a4869cad7fb5afb80a4133499fe3b3a5610680538f0f3a569831219a2a8fbfbe2166919d0d98ad94ff0e87f3a

Download Submit
C:\Program Files (x86)\MSN Games\iWinTrusted.exe

Filesize
218KB

MD5
f117e941af67e0c73327b261d03d8293

SHA1
c00aa7b9217793451b3cb5658a4f54a313ec2e36

SHA256
cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea

SHA512
1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

Download Submit
C:\Program Files (x86)\MSN Games\pages\blank.html

Filesize
104B

MD5
9482e5ee38471e5b6a688ad0d02fe6b4

SHA1
12dfac1206e34a47b2d3f639106056c9f7ca3e7a

SHA256
a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d

SHA512
c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

Download Submit
C:\Program Files (x86)\MSN Games\pages\blank2.html

Filesize
74B

MD5
90b42fd8e93203218847a3c0a646d377

SHA1
0d485e2de867448e4853031d5714942128d92983

SHA256
aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f

SHA512
de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

Download Submit
C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

Filesize
40KB

MD5
bf7e93622206bd7206494a7b805c0954

SHA1
5dec728c393cafd17d55a18501770ce22f16ffae

SHA256
cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7

SHA512
f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

Download Submit
C:\Program Files (x86)\MSN Games\sounds\animation.wav

Filesize
77KB

MD5
3ef7618619348fbbeca7b0f772be7e5c

SHA1
d86829f29c8f22c2d3562269b3d2f0c3b822ad0c

SHA256
d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872

SHA512
b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

Download Submit
C:\Program Files (x86)\MSN Games\sounds\button_click.wav

Filesize
8KB

MD5
d5c43fe0fd3f6b5c1d2d96ef21834f9d

SHA1
f8e36c4fe187396cec014bb2e733d953b3a76fdd

SHA256
ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1

SHA512
e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

Download Submit
C:\Program Files (x86)\MSN Games\sounds\start.wav

Filesize
57KB

MD5
94ab5e493c7fd8358c9a893d0a108d5f

SHA1
5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173

SHA256
54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a

SHA512
f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\GameuxInstallHelper.dll

Filesize
94KB

MD5
4d3ac88054df63fc810427bdaa96c458

SHA1
e4d554e03ba91f6b53a2a80253b339f56e303c94

SHA256
b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

SHA512
d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe

Filesize
455KB

MD5
0025cd88501fa44e826bc9ed4bdef2fb

SHA1
c1a5d54809ba50bea7c4cac90563eb50b1d973ab

SHA256
f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59

SHA512
96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\gametitle.txt

Filesize
19B

MD5
b95effb5cac0ebc1ea0c2e8e846e5045

SHA1
43eeed2f329347102b81baafc0cd9e62b5eae175

SHA256
3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859

SHA512
43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\tn_feat.bmp

Filesize
4KB

MD5
49cd2c57170a77dfa6639da258bdcce1

SHA1
fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a

SHA256
6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63

SHA512
d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\tn_feat.jpg

Filesize
1KB

MD5
c2965cb96a332484fd16f6f43d367cce

SHA1
ea86229b04037c6c333150235fc9f40d7675a3c6

SHA256
ac368fbb7f15ee40eb4731284dc848a454f3a01cab11c9bfbcff8ae7c0782d72

SHA512
4a499be02e4c45e00c75b8ab5b84f37c2311db6a78fcbbbc0ace6391a067aad731e23592cd4d014757e227f344575d9857c66a60a8c3dd4b6e8b11195255a147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe

Filesize
45.6MB

MD5
7b3ec6d1800cddc1b195d98244e98e5a

SHA1
4f1f7318c220cfca2d8631dc3398c3242bf34115

SHA256
3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a

SHA512
d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\ftdownload.dat

Filesize
512B

MD5
433030c5cbb375e16cc885014191f07b

SHA1
485546229799b852d97fee65a5d899aaad757ed7

SHA256
1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4

SHA512
c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit