766e9e0e14e32a95b93163f40c769b2561dd3cb25401cdab194aaed3f9d19573

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 02:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Size

1.9MB
MD5

54f2e5ca39c18570823074d876aa264d
SHA1

d620cf89f3471f114be18bd7a6170e9160e6024d
SHA256

766e9e0e14e32a95b93163f40c769b2561dd3cb25401cdab194aaed3f9d19573
SHA512

36a0860bcd941b68339d49127124d1a002f62b7ce9edf774b77200f208a1ee75c13820fa5df97305c736789d82b83a5262021d0b6890cfc04361af9af1d3c4fa
SSDEEP

49152:s28QbBnW5oGvmx4UJASuA4wDinashps9AzV1pCh9mLsmv:CSBnW5d+lub3asPs9S7pcry

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	gamevance32.exe

Loads dropped DLL 5 IoCs

pid	Process
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2584	cmd.exe
2636	gamevance32.exe
2168	regsvr32.exe
2028	IEXPLORE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a"	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	gamevance32.exe
File created	C:\Program Files (x86)\Gamevance\gvff.tmp	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\ars.cfg	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevancelib32.dll	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\icon.ico	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvtl.dll	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevance32.exe	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvun.exe	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamevance32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gamevance32.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a9f0680421db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435379939"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000010d4f9ad3d37f8c74518c31c715cbfc61f526e721c3e410ef175c56f9ee883e3000000000e8000000002000020000000267bfaa24cd6392620effa2a0597672b4178130a6581e702e06874456998e42920000000043346d7fb94c2e4e192a7122ba3ca35744eb07698051ea15aeefbbed82051a1400000004fe5f654e1d300c9f6132d9055e66dedaf8a694f300caa418660fbf9a0ccec1970b3bb89488e91a883aacf56c251c7df9b361a73e3033a8e98d0a47eba032c84	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A485BEB1-8CF7-11EF-8632-EAF933E40231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000c85e4b77be8f33328fc82b870c912a8393fd5396463f9d3d8f72f184abb80e61000000000e800000000200002000000002c7501b151f0c7d91d67e5580ca58aeaac5f3f535b8342fec19d3eadb23e21790000000161fc71185e8426d6feb77befb460824a6a02062c0ec4661564e30614023cd986d1035db68bddfa8a341b0a92063ac1f6b931a3aea91d427e5773e7d5e2b7602db581d403c7b7180a2760171f2710fe6cfc0505b75769fbd4352ffd4e32e3cfc57dd1ce5485fdf3558823877d4399a271ae5cf82f7dc32de58272ee58e75d2dacb1c2556d330548acfaeccd8b98a519e400000003cc02fe76be12f6711425fd6fbccd1866dfefb2c02c4b1597d6295c1eda68021fb52d5cb9e63527abeff7962a1ba196cdbf828ae7d54c77610bfeaf889172357	iexplore.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
2636	gamevance32.exe
2636	gamevance32.exe
2636	gamevance32.exe
2636	gamevance32.exe
2028	IEXPLORE.EXE
2636	gamevance32.exe
2636	gamevance32.exe
2636	gamevance32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2880	iexplore.exe
2880	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2584	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2584	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2584	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2584	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2636	2584	cmd.exe	32
PID 2584 wrote to memory of 2636	2584	cmd.exe	32
PID 2584 wrote to memory of 2636	2584	cmd.exe	32
PID 2584 wrote to memory of 2636	2584	cmd.exe	32
PID 2728 wrote to memory of 1852	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	33
PID 2728 wrote to memory of 1852	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	33
PID 2728 wrote to memory of 1852	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	33
PID 2728 wrote to memory of 1852	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	33
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 1852 wrote to memory of 2168	1852	cmd.exe	35
PID 2728 wrote to memory of 2880	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	36
PID 2728 wrote to memory of 2880	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	36
PID 2728 wrote to memory of 2880	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	36
PID 2728 wrote to memory of 2880	2728	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	36
PID 2880 wrote to memory of 2028	2880	iexplore.exe	37
PID 2880 wrote to memory of 2028	2880	iexplore.exe	37
PID 2880 wrote to memory of 2028	2880	iexplore.exe	37
PID 2880 wrote to memory of 2028	2880	iexplore.exe	37
PID 2636 wrote to memory of 2880	2636	gamevance32.exe	36
PID 2636 wrote to memory of 2028	2636	gamevance32.exe	37

C:\Users\Admin\AppData\Local\Temp\54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files (x86)\Gamevance\gamevance32.exe
    "C:\Program Files (x86)\Gamevance\gamevance32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2168
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8T1wsH0srLCtOfU5dX64LL08rS3%2F7K6tbqyurOzxbTHusa3t8L%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
53B

MD5
a00ad4668df2e2c24f8ccb446de30d6f

SHA1
b924b91cfb77e6233f46834952cc131cbca14586

SHA256
e89780dd3a5483fdad82fdbc7181872651767693c2bcf31e0b65aea9958a6822

SHA512
7225946bbba9c81ba9a612f64f1f9e6d704ba6ffac7f6e3b5f381b39ebf2205b60fbf457524673a953bdc93b0f85b1c6aeae7f5622a04b1d956c0f928b34474e

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
95B

MD5
779a5045803806bc373332644b3ec7f6

SHA1
be7260ea13c4a462887e1c0dea74702125a3ce95

SHA256
e631eed204682ff3aa76e42cb71592cf105c29d33fb7d043f811bbb2e411beb3

SHA512
ddbe58b384610bb9ebb19fcf3ccf62bf7c31943e6a77b71486311f4e7c1a03025ae2be6291cf11e59ae3b97dc2580e3dbe565bd6605be9679f1ff57c8c6ea23f

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
165B

MD5
03d8fc359b3b92ab47daa4a66bf7c620

SHA1
f2f694752744ebcd156dd1b15ea223c51c67a40b

SHA256
a7cb729a8130e68a741218f00a7537d92f8d4a743cd5ae958cba561d8ed1968e

SHA512
62ca2563ba40b61b64a9327ee445709acbc62cf83021bde32f77674af2d085c8f448503aeaf76012802aee59aa7aef2440c9927e519dfe90e890c831b5f09f0f

Download Submit
C:\Program Files (x86)\Gamevance\gamevancelib32.dll

Filesize
223KB

MD5
f6cc90fc05157814886b4ab5c6587947

SHA1
db780a1ae992e2ae62741ff0f3c9b8c4bbf90e25

SHA256
0f6142dab1ff317a455a50bf93d37a340b5059e575c61b3f1a7d929585abd799

SHA512
c1c532f60b6bab24111ab131425d05402816e243bdff23c5ac19ec4c9fde70744e068bb2a211d94d6898d241f327930e4c6c130cde85c8cc71c23dd77709b0bf

Download Submit
C:\Program Files (x86)\Gamevance\gvtl.dll

Filesize
154KB

MD5
c6ecec4f180f5cf57a13e338015dc0a2

SHA1
dfab483824956bddd46e61b5f6db3536fcc0ac64

SHA256
ae939f3c64886fe24081c1070e3a7eaf04f2864db451e682efd1ff5cf546d007

SHA512
a878b12487e5062441e2f23c7a72f9eec23e590e80db60c9c6c03e270e7e6283c951663adf7212ecbd649bdabf62b09ce1ae827b4d0b0a54c924aa129ebda72d

Download Submit
C:\Program Files (x86)\Gamevance\gvun.exe

Filesize
256KB

MD5
b48a3a44c2ac21d894949fc7e712ef5a

SHA1
8a69634a268dcd9fd66b9262a019ee6fefbf83bd

SHA256
8dc4ec511121f9e6fe17682688e233a0b01281f3a5825b4e445e1d5486526666

SHA512
8ac106664159bce36863735b8788a54c9509a719269e5d9bf8cf203eab91b9ca970b646ad929a0108b4c97fe0131edfaa4dbd14b897b357829bdee7be32388d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6283a196ab27470062c2431f6503e6ba

SHA1
1b39281b6359469dbb81169a5dedf87734c3c7e5

SHA256
994d6720d248ec822200a0d05860a331bcf06d4bed984ee4da04221db89cb617

SHA512
a59965e0e690988682c794335a40bfa13251cf24d4a35a14715cfd96e32738aee618b1d4fbf79854998f5b0afe3d91a435b98c58d1974dae837c0efbfdd4a8ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca30d4362dba9e7de1c89239de4ed4d

SHA1
7f8a595168e86107236648bed655384bd9ec1984

SHA256
7f1f412fd7d4c5f62b09882a1330b17964bbb03aded30bce8c645b8b174a504e

SHA512
a3ce7b2df4b9c332c5d034c7365793cc036fdca4e4eafb922b63757cef3d5e56557ff4f0327891b4b0869f8b4495e5f42840bbc0367b52c0dba57a0d177f8ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac55473832e281f33683e16c36eee5b5

SHA1
269a5f890ab459b446fffe6a26ebdd27bee655ce

SHA256
46a5f4fcbc962fd1987e7700bd2edd021a37e7d11f95570ddf683ed16819dc44

SHA512
dd9ccf2a57aa80d98813613804593385ebf90c4381f47045a418acf4cdde09373e91945da352b4341516ae3b634ee00c84b05da0e4e9aed4686682f689d2448b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfde3e37f5000b2fb1e7b098dcdbb7dd

SHA1
9c6771d6aa743620d0b0b22753a48f23891bbc93

SHA256
6d86a17fbe4439ce8ba7f44edf7832fd9aaeed68429e414c3f5762dc8a033f0b

SHA512
13c08ba22a796a865359e783eecd89ef1e1f38bb7a97c18b43c4975d5df97cb44e21231c4a2e1320627d396270623f892ed2c4185fd439bdff7a00cbc399a3c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
210b4995dbe6222d6c1adfa5e9783296

SHA1
db709e41c36c299c7f96873903274220a98c9357

SHA256
f54cbae9b7e9340823ef54dd70355085f5b9341b716748d46439c8a2ff91a90c

SHA512
a0ff575a5eeaeca1057bb94cdc72998bce8207356ffb4061a94ed7f804aa05902c62d57d88cbeb52abc8c97f0ced427d6c3efd80d78123bd764e92e32fddb69d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7baa4ebe62b31870bca3d5ddab1f7fd3

SHA1
d7f5a7ed259511504db79db3861fe74f274e57a3

SHA256
afd515146a692689a44eb9216fe3dfea53897ecf30ff5a8ea3cd8cb08dc65d0f

SHA512
97ff2ba9b38d697f0a8a4eda52ed1bbd472492e6f562efaf6ac83ec13b5054fec03a9d25dff5e01e84566e31c1db42c5fbba44fcaa939ec954263745d194a281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9419df33d1607c00c4e9cf045d47f6f8

SHA1
37fbf7d958e67b41b4c2e8b07edad90113c64203

SHA256
78ff727dbcc4b1f5c5ab2862e1de42dde872f0c6178c4deea92c4d5bffddf27f

SHA512
ba2dcaca9a6819fd237acd3f16f8ae9ae89db2bc93eb5af1382d66cb072ff25a5febe2c31cf11fa03196b0e135ed565c844958816b6f8adc35b53dd80b690b5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac3cf0d358f3bc6c572b3a7651354b00

SHA1
3fd4434dcd74b38879c298e0e9d0a7fe0c7f2301

SHA256
39a09f089fb4b2b3c12e5e69027744807bd32050eb1976adb12801c69c5d5207

SHA512
cc0af3bba4ab21178e37c2c40c5abd8c95aa55d8fa9a7c653c0d7b45fd3ddbf8304c2fc674a6d9b472a7ff8fbcc4caf048a883f4cbe1f8410439b4036f957089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c5d0cb7bcc0721b10f65e8e431ca7f9

SHA1
f65ead1fea038257f0ac5608423db438fd8f6f8e

SHA256
273c86cba355cc4aa01eef3baff72a0ce9b739b9b5ef7c1b0185ea1fb16fab36

SHA512
41de5d52206eb11a3592de2d7f8127fb74cf5d52aef80d1769fc5554d3d9fca7c5d252ae36484fde617744af67952d201fde69e0245d277b971bfc4cdb9aea1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d97609f0ad9592c571cfb3055f90657

SHA1
a04fc6dedcf9af39e906bfba1d351b175d3e374e

SHA256
bebf92830cdb0abe01e41f2a7883ad139363e9249caa59c907d1551ba25e4872

SHA512
a651c267832546eef8f130b1121c95f44ea2ae385596d57de37793cb78788d2a1a79b4924a8cd9d853c3f5de4e2cd93aae9db0df3da25fe71c3a2bd54d62741f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f81fefd9dd4f128d0273072c025bffbb

SHA1
8c744564c909ce969878c0d0ba67afb19d6405b2

SHA256
bf4f6cf4993d76e0d4c4605a6df2f2e89f6256f0a8e683f46862c15ed522c6bc

SHA512
33738a42b7a2fe203991267ed1bc6527c2970261c16bd1bfd9c2838c7e280c143645018d12230f683fc91476b952a2f2b0f17d19a1e1259d1d07ac5fbc91846c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9214.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9227.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Gamevance\gamevance32.exe

Filesize
234KB

MD5
bb4f48bec6da17b46cb983c392885ea5

SHA1
6c7fcac83c0e48f54f923a6b2f0e78db97936221

SHA256
3b3d4a482b958eea7cd2ef703651b054db6ca19c2946c3b7533ade1a152ebf7a

SHA512
227337d9eb8ffd373c8d4c2ff45304e61162491e9833fa7301ac69fcdd98f36494f9c6a19e16c11d69aee7ed5100912748d50cbdbcb5e728cc5f9ac0c4f46c59

Download Submit
memory/2636-37-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/2636-635-0x0000000000170000-0x00000000001BE000-memory.dmp

Filesize
312KB

Download
memory/2636-59-0x0000000000170000-0x00000000001BE000-memory.dmp

Filesize
312KB

Download
memory/2636-466-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/2728-0-0x0000000000780000-0x0000000000B08000-memory.dmp

Filesize
3.5MB

Download
memory/2728-80-0x0000000000780000-0x0000000000B08000-memory.dmp

Filesize
3.5MB

Download
memory/2728-60-0x0000000000780000-0x0000000000B08000-memory.dmp

Filesize
3.5MB

Download
memory/2728-465-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/2728-18-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/2728-1-0x0000000000780000-0x0000000000B08000-memory.dmp

Filesize
3.5MB

Download