Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 16:31

General

  • Target

    JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe

  • Size

    1.9MB

  • MD5

    5c43d1b3bd3443495544f876ae42a014

  • SHA1

    793fbc245ca3fe9010658bbab1b0a5b5ec5baad8

  • SHA256

    624650db8278744c40f1c924592a1e98551a6bfeee9e7982e6c77b947813bf66

  • SHA512

    d389b555c1da99c6c00d0e358ac57f39438e9ac43d7a7ae614486b73c8c51707a7fb7f6f2cc7c7ca0989b806de852dfcbcfed8e13e18dc02fe6048585ac92811

  • SSDEEP

    49152:2tVembwPzY//HFNnVe8kByLCEaslHyW5YbL+QXBx:2HPbwPzobVeJjEas1ydv+QX/

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Program Files (x86)\Gamevance\gamevance32.exe
        "C:\Program Files (x86)\Gamevance\gamevance32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2508
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8vQwsH0srLk8cix7OjixLLJ7s7W%2F7LFu8KxtcK3trK3tbrF%2F6P%2Fs7OzsrOzs7P%2FzMg
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2224

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          95B

          MD5

          5a7945400a0794dc5d237bc174f8a752

          SHA1

          a824e38ed58522414223515ba4814481d5f61ca8

          SHA256

          6f1a16a8d84d49b0c0b796f11741d791c6a9e54c5b0b8a72d5ea090c5b4ef69e

          SHA512

          a2f816ce30d90d9f375352f6a86fc6a0fcf21d56200f0760da74f0f5c8fc571ced6efc28bac1c7a4bc4bbb24b5e8e33227e76b96df5df22b6182116f696e5ec4

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          107B

          MD5

          e3d68e5e7e762091f5e845640167abca

          SHA1

          4bbd9447bbf004eff5ae764acc5cd8a2d36b7715

          SHA256

          17409dcbc8eca711d7c7b3d71ce0d2589793e147e667bf6a6537855ac7b10c6b

          SHA512

          8ef6a01bdf1d83d52d8fba92a36c67eeec30dee550a67bbae9fa8403ba705cfd60cb85aa5f0fd520ec33c76733620cf7fc542e7a51f8805258ae5de254fa74b7

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          163B

          MD5

          ba83ab968ef86375bdef1d4b277f9a01

          SHA1

          41ff9bb1ccb51174337839dc86fb6169d9291a49

          SHA256

          10381dec1ef3ed5005a403218d7c280a2492abaff313dd5ad269e3b5dbddbabb

          SHA512

          14a376448a135e4297e06ec8c63a50d6a299a0c701abc450a9a27c1650eee71f9f558b903494b94a9f352a5d6cf34758fa47c33a9e927f9d426afff7f888e526

        • C:\Program Files (x86)\Gamevance\gvtl.dll

          Filesize

          154KB

          MD5

          016675c37e90e8761aa528884c0d961c

          SHA1

          df6056ed2ccfdd65c27970c40f243d18c7206c43

          SHA256

          5ca7b8b39eb09b5dc2f349fc6d507d34deb5ac926b85997ee0fc6ad4ca69d101

          SHA512

          1afb18453c181d7c5b660306b557d4f25ed9274e6b7c7bc983c72e65601e620e5d2402547c090e199666f39404ec2377f5060d441c5f0639b839b8135b4d3c00

        • C:\Program Files (x86)\Gamevance\gvun.exe

          Filesize

          266KB

          MD5

          52d920d775537b6e5abeae273bdc0bc6

          SHA1

          c93d781dd58e7ba2711717a05d771263281cb23d

          SHA256

          5232cabba2c58b0ad4c00378395287f519e2ec9282daa654a714fae7a5c601d4

          SHA512

          e9be004b77d36994c20bb05c310681288b2fd8f61af7e29ec7638195e1e89a1fdeb9e612c3fd5382b77f44f9e2743a4728e488c4771bfb05f358931c2d10bc96

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7726e4932f3d398f55791d171c2be109

          SHA1

          c8c02bfc40da924f25664b14ea7893c8560d6d1f

          SHA256

          94b35df04292beeeb75b086d4d5b87635920aed3e9fc9f472c56f7c83f4c9a13

          SHA512

          db63889405b75f096d51ef8e40ea1b860e461acf8fce131b7ec494a70e7de433dae1081a8c031e2c2adf57fb89c6ab212c9125f59a5d6777abea51df5705535c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          09c94c5239d3130331bb23fa4dd02242

          SHA1

          92f174dad7d82d5609dd7b00a3cc19ba255b7032

          SHA256

          2bab13be3dd94dd8050e7f7502c96223d1fbe8df4878c936f7942fd9d64d8a12

          SHA512

          d27abd27181a9b8517a360008c7cbfe521edce4c998918c3476d6dfa90ea4cb0367b0c38fc46b160c8e1a0e125a7ebf67c6d852f380448c84fae58adc5a9fd7b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          06004f97d6846b7a873619890eff50fc

          SHA1

          bf325d88a21262a83a583195476fa2f4f44b1f0b

          SHA256

          3c2f4cdd48b692b22582cb394346f2af78dafccce6766f256679a36e83ee5112

          SHA512

          6b2b9fa69eee41bba8fb3e10b191d762fe87059c73f23830fbe2c4ba78d429dfbb4194c411623875de704d54b63c47a3a4f42a2ec954bb850188b843e002357a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c094c540d18d07ded74cfa8f669df3e0

          SHA1

          444a16be30acb03c60330f63ff1d44498f191f6e

          SHA256

          2ca1c1a00ebb12fcb7873e5a4543eb87b91957e6dc9ba7122f6e4a4368f7bd56

          SHA512

          6ad9cfc234ecb8c69aae2d87e11192d64663f7ddcb56313294e0cc2dd03b1f9a0f1862ac2cb9ddbd9e9892885c9f900460ef82b336bc578f11e9933b7f7f9930

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3719c502a4fa1ec4f0aa870384c90e4c

          SHA1

          eee4b39b5396ad3e5c7415c7f41ab51c7503996f

          SHA256

          fbd68a2e11047f5c09e44ebc0e673fefdb483171c8a253ef91cdb99a83c23602

          SHA512

          6e1fc65c47c8985d82c5faa37f0c54daf079cfa48302d9a1dbe60faa1c71ccd3ff0d5d5687d8fba56fb44edeebbf8cdd1d9714cda367b9aae36daedf9902d273

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e5ae0964e6cd4a9938ef847783263f15

          SHA1

          5ad773317d56ad39d4fe7e39c007e824b2dfb04b

          SHA256

          6b70006f6424999c0e1be6e56f4bc79c0ec5f9be63bb079ba4eb3d019be5b355

          SHA512

          42512d426504d80533bc0e1424c6af996aa94d726178fd3b2b8cc61283ca1975045fb143658ab18712add55728c1a44879c961de8774ca1bb1d7b857f4aa5311

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a672ab5d8859eecee5359576dbcdea97

          SHA1

          8be8343aff166ba75d1129adf73aeb7444ef67ea

          SHA256

          82de32b8c846e029b88309031ef2e3a4023341058698737afbdd111b970e92ad

          SHA512

          22dd35e6a8a566153f9129c18e2d1e19531dd03eee2f3e11477579c6682d82cb6da26a9192f1862b6f3e1f0c3fb8762ee91fe60d6b47def873031388de3d9eea

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5a31a702109e1db1f7ddc96f73b3622b

          SHA1

          7022276d6781d4c4a6c95a91e65f5fdd31ca8d18

          SHA256

          3c75124f8b3a5b9ec8caeb1ee0a955fa748fd670246752b0bf9459c5ae73d600

          SHA512

          a095daa84d442d78561d356abbb8c944de04e7382c5e3c62fcc62fa5e344bb6fbe77652267cfbb525c31ab3bc0385b8415ddda6f06f6428f814e2d15bdfeae98

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4a27b7b0b577e3d6feeb5042500ca747

          SHA1

          9d17d99f0cd558c2f0082612226cd0d575b534d9

          SHA256

          e3bd2e4e6380001892be5f54a3e3a8b1a105e96a6aef5323e2fde5df58ecc08f

          SHA512

          5088b9638337a4875356881521133210764a916e7b128266ad441ce451d4a3636c57b94c196654986a9619eab290dccd622f1cd513787ff15a99793a8a68957a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4febca962e86453953ae8ff48856a12d

          SHA1

          e35e6d7e7d41aa87ae347df5c2474e4ede3bf6fb

          SHA256

          d2f804233b8d39dbbf219e73bbc72c54079ea31f1abb9bdb07d29eea6c2b1de5

          SHA512

          fc284fee7dcc01dbac33ac9d8f3a643691e081f63a0c5701b5473efa3bb7fd7a232637d1d4cb2221fba9a13df283a61bc8a78b6b6b00495cb4cc40170e95cd0f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2d5b6af8802301746952f08ff209aef5

          SHA1

          b524f2875dbb19d368695b0f18fb322baa8af25c

          SHA256

          8da4b1510cf54d8724fc8e23852b609fcffa8a9333bc1b5a98fd5cfc245a6a52

          SHA512

          91912d143c035cb095ef0dc394e8307488304171620a66622dd6152a97214df43615b27afc6a792e95c703c463ca86d0a098cc7b035d366c4ab44310b04c10ee

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3b2ba96b68f018e9b3b3181221b9608a

          SHA1

          d20e188ad8d85826f46857343181b78c5adc5865

          SHA256

          ef3a0ca3003b7dc0a8b0f6f090d24422f0d98bb49e0762aac211ee5447c1a374

          SHA512

          b5afcaf99c448a90549a64320d80cad5e8a9ada1fe69c4fe622e61e6b88e83c63a69677c10970ce8bd43af16cd4c0339f42ec4e58ca9f4cdb4eebfaeb74e9fcb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7023b7548379f099d1ca1a432c791426

          SHA1

          c79218143c3522daca35da394f710600f9c7e80e

          SHA256

          43067f78423e4347cc7f05ad073c8013d8dfcf8996463929a822d1d99fd59e85

          SHA512

          e280db28cfb49db41f6bffca0c8aa4e05da62c8237e472b7a7361dba0a14b204923c368bd1f11d04f7b2fd8f6e80560f7fcb8a55ecabb8761ca3729f809524ec

        • C:\Users\Admin\AppData\Local\Temp\Cab7774.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar7842.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Program Files (x86)\Gamevance\gamevance32.exe

          Filesize

          235KB

          MD5

          f036a46d211c23b320cf52285ffbb299

          SHA1

          466ecf46fa78072162d493484a18053652caf15d

          SHA256

          041ac2cbc0de6a509f6043db4b1e47bafeb309ea22f1477f270fa516b11d71af

          SHA512

          f285ffcbcce4c1f0274c46d38312ded082b5520bd7538be3b01f8879656d372ca1118bd400b4ae01deb77170aac27e4fbbe4f69a9b1543d0e6da946f6f636a03

        • \Program Files (x86)\Gamevance\gamevancelib32.dll

          Filesize

          207KB

          MD5

          6e6612829295b2b8d9da4f10bd5e1cd2

          SHA1

          d40d3ca38ef269435410d27b89bc92ffaf09236e

          SHA256

          69d2cc722a7e19a614cd7438b38128498bd996eed2a7ff45e43bdcd01476caa2

          SHA512

          9745485dc39ceaf51d6ec58007783ccb61697eb4f63b1bd22cb4c86847162a9e2e6814b3490246447dd90770bed4ae11e11c30f36f71c1dc1e4ec47799890d7b