Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
-
Size
1.9MB
-
MD5
5c43d1b3bd3443495544f876ae42a014
-
SHA1
793fbc245ca3fe9010658bbab1b0a5b5ec5baad8
-
SHA256
624650db8278744c40f1c924592a1e98551a6bfeee9e7982e6c77b947813bf66
-
SHA512
d389b555c1da99c6c00d0e358ac57f39438e9ac43d7a7ae614486b73c8c51707a7fb7f6f2cc7c7ca0989b806de852dfcbcfed8e13e18dc02fe6048585ac92811
-
SSDEEP
49152:2tVembwPzY//HFNnVe8kByLCEaslHyW5YbL+QXBx:2HPbwPzobVeJjEas1ydv+QX/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1780 gamevance32.exe -
Loads dropped DLL 5 IoCs
pid Process 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2692 cmd.exe 1780 gamevance32.exe 2508 regsvr32.exe 2224 IEXPLORE.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32797571-D35E-11EF-B4EC-5E7C7FDA70D7} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443120583" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c883bd70e948c54bad71671c6040e51100000000020000000000106600000001000020000000694ad429025ba7d5929bedec2002994233dfe7429df315c581e8dd2294867ec5000000000e8000000002000020000000287dbf5c550912bb618787e49ecab8f6248cbb8e6f4716ee606f8e79f2d6a5eb9000000002486180b5cfd9a79548faf72ae2598b634deea5f41058136a99b54840bc8e3dedc03716de1ca1c29075e92059971b815ed9d4c252d363303d95d8bc534785066d9894dc7d162dd0c920eb40d2afeec10e4b2e589c67b49f9394bbf10b3ab0f63fd595f905e782bdb0a8663e8b044be9c6803825cb1cd7a063079859b86443d5d81bf4def773cdcc9195e416b31aee5b40000000bcbea754052a1c166f82609d680a66b79815920f102550bbe3c6a2829def9f110a2caaab7dabd51a3ceea120c6b49790a199a250c428097bb14384d3f48eb9c4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c883bd70e948c54bad71671c6040e5110000000002000000000010660000000100002000000092d848e203bdcca0410542a57f3119deaad12df9c5360ff2fcd4ff626240f448000000000e8000000002000020000000c33364ace5acfac1194d64b232550bc520b187c29722bbbcbdd7b631bd556fba20000000206bef35c29130568fcc2e276b7425294a128ac17d4c4230665a55a2f6c6a09d400000000d75effebb4becd4a44a2fabc6693ed6e973ca7278ba8401e433426dcbe366667e06d0fe89173e6cf537a92c607b30c42bab897c68415aa4061202f4a2dd6bb2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901ef9076b67db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 1780 gamevance32.exe 1780 gamevance32.exe 1780 gamevance32.exe 1780 gamevance32.exe 1780 gamevance32.exe 2224 IEXPLORE.EXE 1780 gamevance32.exe 1780 gamevance32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2448 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2448 iexplore.exe 2448 iexplore.exe 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2692 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 30 PID 2880 wrote to memory of 2692 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 30 PID 2880 wrote to memory of 2692 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 30 PID 2880 wrote to memory of 2692 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 30 PID 2692 wrote to memory of 1780 2692 cmd.exe 32 PID 2692 wrote to memory of 1780 2692 cmd.exe 32 PID 2692 wrote to memory of 1780 2692 cmd.exe 32 PID 2692 wrote to memory of 1780 2692 cmd.exe 32 PID 2880 wrote to memory of 3036 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 33 PID 2880 wrote to memory of 3036 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 33 PID 2880 wrote to memory of 3036 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 33 PID 2880 wrote to memory of 3036 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 33 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 3036 wrote to memory of 2508 3036 cmd.exe 35 PID 2880 wrote to memory of 2448 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 36 PID 2880 wrote to memory of 2448 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 36 PID 2880 wrote to memory of 2448 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 36 PID 2880 wrote to memory of 2448 2880 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 36 PID 1780 wrote to memory of 2448 1780 gamevance32.exe 36 PID 2448 wrote to memory of 2224 2448 iexplore.exe 37 PID 2448 wrote to memory of 2224 2448 iexplore.exe 37 PID 2448 wrote to memory of 2224 2448 iexplore.exe 37 PID 2448 wrote to memory of 2224 2448 iexplore.exe 37 PID 1780 wrote to memory of 2224 1780 gamevance32.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2508
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8vQwsH0srLk8cix7OjixLLJ7s7W%2F7LFu8KxtcK3trK3tbrF%2F6P%2Fs7OzsrOzs7P%2FzMg2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95B
MD55a7945400a0794dc5d237bc174f8a752
SHA1a824e38ed58522414223515ba4814481d5f61ca8
SHA2566f1a16a8d84d49b0c0b796f11741d791c6a9e54c5b0b8a72d5ea090c5b4ef69e
SHA512a2f816ce30d90d9f375352f6a86fc6a0fcf21d56200f0760da74f0f5c8fc571ced6efc28bac1c7a4bc4bbb24b5e8e33227e76b96df5df22b6182116f696e5ec4
-
Filesize
107B
MD5e3d68e5e7e762091f5e845640167abca
SHA14bbd9447bbf004eff5ae764acc5cd8a2d36b7715
SHA25617409dcbc8eca711d7c7b3d71ce0d2589793e147e667bf6a6537855ac7b10c6b
SHA5128ef6a01bdf1d83d52d8fba92a36c67eeec30dee550a67bbae9fa8403ba705cfd60cb85aa5f0fd520ec33c76733620cf7fc542e7a51f8805258ae5de254fa74b7
-
Filesize
163B
MD5ba83ab968ef86375bdef1d4b277f9a01
SHA141ff9bb1ccb51174337839dc86fb6169d9291a49
SHA25610381dec1ef3ed5005a403218d7c280a2492abaff313dd5ad269e3b5dbddbabb
SHA51214a376448a135e4297e06ec8c63a50d6a299a0c701abc450a9a27c1650eee71f9f558b903494b94a9f352a5d6cf34758fa47c33a9e927f9d426afff7f888e526
-
Filesize
154KB
MD5016675c37e90e8761aa528884c0d961c
SHA1df6056ed2ccfdd65c27970c40f243d18c7206c43
SHA2565ca7b8b39eb09b5dc2f349fc6d507d34deb5ac926b85997ee0fc6ad4ca69d101
SHA5121afb18453c181d7c5b660306b557d4f25ed9274e6b7c7bc983c72e65601e620e5d2402547c090e199666f39404ec2377f5060d441c5f0639b839b8135b4d3c00
-
Filesize
266KB
MD552d920d775537b6e5abeae273bdc0bc6
SHA1c93d781dd58e7ba2711717a05d771263281cb23d
SHA2565232cabba2c58b0ad4c00378395287f519e2ec9282daa654a714fae7a5c601d4
SHA512e9be004b77d36994c20bb05c310681288b2fd8f61af7e29ec7638195e1e89a1fdeb9e612c3fd5382b77f44f9e2743a4728e488c4771bfb05f358931c2d10bc96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57726e4932f3d398f55791d171c2be109
SHA1c8c02bfc40da924f25664b14ea7893c8560d6d1f
SHA25694b35df04292beeeb75b086d4d5b87635920aed3e9fc9f472c56f7c83f4c9a13
SHA512db63889405b75f096d51ef8e40ea1b860e461acf8fce131b7ec494a70e7de433dae1081a8c031e2c2adf57fb89c6ab212c9125f59a5d6777abea51df5705535c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD509c94c5239d3130331bb23fa4dd02242
SHA192f174dad7d82d5609dd7b00a3cc19ba255b7032
SHA2562bab13be3dd94dd8050e7f7502c96223d1fbe8df4878c936f7942fd9d64d8a12
SHA512d27abd27181a9b8517a360008c7cbfe521edce4c998918c3476d6dfa90ea4cb0367b0c38fc46b160c8e1a0e125a7ebf67c6d852f380448c84fae58adc5a9fd7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506004f97d6846b7a873619890eff50fc
SHA1bf325d88a21262a83a583195476fa2f4f44b1f0b
SHA2563c2f4cdd48b692b22582cb394346f2af78dafccce6766f256679a36e83ee5112
SHA5126b2b9fa69eee41bba8fb3e10b191d762fe87059c73f23830fbe2c4ba78d429dfbb4194c411623875de704d54b63c47a3a4f42a2ec954bb850188b843e002357a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c094c540d18d07ded74cfa8f669df3e0
SHA1444a16be30acb03c60330f63ff1d44498f191f6e
SHA2562ca1c1a00ebb12fcb7873e5a4543eb87b91957e6dc9ba7122f6e4a4368f7bd56
SHA5126ad9cfc234ecb8c69aae2d87e11192d64663f7ddcb56313294e0cc2dd03b1f9a0f1862ac2cb9ddbd9e9892885c9f900460ef82b336bc578f11e9933b7f7f9930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53719c502a4fa1ec4f0aa870384c90e4c
SHA1eee4b39b5396ad3e5c7415c7f41ab51c7503996f
SHA256fbd68a2e11047f5c09e44ebc0e673fefdb483171c8a253ef91cdb99a83c23602
SHA5126e1fc65c47c8985d82c5faa37f0c54daf079cfa48302d9a1dbe60faa1c71ccd3ff0d5d5687d8fba56fb44edeebbf8cdd1d9714cda367b9aae36daedf9902d273
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5ae0964e6cd4a9938ef847783263f15
SHA15ad773317d56ad39d4fe7e39c007e824b2dfb04b
SHA2566b70006f6424999c0e1be6e56f4bc79c0ec5f9be63bb079ba4eb3d019be5b355
SHA51242512d426504d80533bc0e1424c6af996aa94d726178fd3b2b8cc61283ca1975045fb143658ab18712add55728c1a44879c961de8774ca1bb1d7b857f4aa5311
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a672ab5d8859eecee5359576dbcdea97
SHA18be8343aff166ba75d1129adf73aeb7444ef67ea
SHA25682de32b8c846e029b88309031ef2e3a4023341058698737afbdd111b970e92ad
SHA51222dd35e6a8a566153f9129c18e2d1e19531dd03eee2f3e11477579c6682d82cb6da26a9192f1862b6f3e1f0c3fb8762ee91fe60d6b47def873031388de3d9eea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a31a702109e1db1f7ddc96f73b3622b
SHA17022276d6781d4c4a6c95a91e65f5fdd31ca8d18
SHA2563c75124f8b3a5b9ec8caeb1ee0a955fa748fd670246752b0bf9459c5ae73d600
SHA512a095daa84d442d78561d356abbb8c944de04e7382c5e3c62fcc62fa5e344bb6fbe77652267cfbb525c31ab3bc0385b8415ddda6f06f6428f814e2d15bdfeae98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a27b7b0b577e3d6feeb5042500ca747
SHA19d17d99f0cd558c2f0082612226cd0d575b534d9
SHA256e3bd2e4e6380001892be5f54a3e3a8b1a105e96a6aef5323e2fde5df58ecc08f
SHA5125088b9638337a4875356881521133210764a916e7b128266ad441ce451d4a3636c57b94c196654986a9619eab290dccd622f1cd513787ff15a99793a8a68957a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54febca962e86453953ae8ff48856a12d
SHA1e35e6d7e7d41aa87ae347df5c2474e4ede3bf6fb
SHA256d2f804233b8d39dbbf219e73bbc72c54079ea31f1abb9bdb07d29eea6c2b1de5
SHA512fc284fee7dcc01dbac33ac9d8f3a643691e081f63a0c5701b5473efa3bb7fd7a232637d1d4cb2221fba9a13df283a61bc8a78b6b6b00495cb4cc40170e95cd0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d5b6af8802301746952f08ff209aef5
SHA1b524f2875dbb19d368695b0f18fb322baa8af25c
SHA2568da4b1510cf54d8724fc8e23852b609fcffa8a9333bc1b5a98fd5cfc245a6a52
SHA51291912d143c035cb095ef0dc394e8307488304171620a66622dd6152a97214df43615b27afc6a792e95c703c463ca86d0a098cc7b035d366c4ab44310b04c10ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b2ba96b68f018e9b3b3181221b9608a
SHA1d20e188ad8d85826f46857343181b78c5adc5865
SHA256ef3a0ca3003b7dc0a8b0f6f090d24422f0d98bb49e0762aac211ee5447c1a374
SHA512b5afcaf99c448a90549a64320d80cad5e8a9ada1fe69c4fe622e61e6b88e83c63a69677c10970ce8bd43af16cd4c0339f42ec4e58ca9f4cdb4eebfaeb74e9fcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57023b7548379f099d1ca1a432c791426
SHA1c79218143c3522daca35da394f710600f9c7e80e
SHA25643067f78423e4347cc7f05ad073c8013d8dfcf8996463929a822d1d99fd59e85
SHA512e280db28cfb49db41f6bffca0c8aa4e05da62c8237e472b7a7361dba0a14b204923c368bd1f11d04f7b2fd8f6e80560f7fcb8a55ecabb8761ca3729f809524ec
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235KB
MD5f036a46d211c23b320cf52285ffbb299
SHA1466ecf46fa78072162d493484a18053652caf15d
SHA256041ac2cbc0de6a509f6043db4b1e47bafeb309ea22f1477f270fa516b11d71af
SHA512f285ffcbcce4c1f0274c46d38312ded082b5520bd7538be3b01f8879656d372ca1118bd400b4ae01deb77170aac27e4fbbe4f69a9b1543d0e6da946f6f636a03
-
Filesize
207KB
MD56e6612829295b2b8d9da4f10bd5e1cd2
SHA1d40d3ca38ef269435410d27b89bc92ffaf09236e
SHA25669d2cc722a7e19a614cd7438b38128498bd996eed2a7ff45e43bdcd01476caa2
SHA5129745485dc39ceaf51d6ec58007783ccb61697eb4f63b1bd22cb4c86847162a9e2e6814b3490246447dd90770bed4ae11e11c30f36f71c1dc1e4ec47799890d7b