Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
-
Size
1.9MB
-
MD5
5c43d1b3bd3443495544f876ae42a014
-
SHA1
793fbc245ca3fe9010658bbab1b0a5b5ec5baad8
-
SHA256
624650db8278744c40f1c924592a1e98551a6bfeee9e7982e6c77b947813bf66
-
SHA512
d389b555c1da99c6c00d0e358ac57f39438e9ac43d7a7ae614486b73c8c51707a7fb7f6f2cc7c7ca0989b806de852dfcbcfed8e13e18dc02fe6048585ac92811
-
SSDEEP
49152:2tVembwPzY//HFNnVe8kByLCEaslHyW5YbL+QXBx:2HPbwPzobVeJjEas1ydv+QX/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2480 gamevance32.exe -
Loads dropped DLL 3 IoCs
pid Process 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2480 gamevance32.exe 2724 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3476 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 89 PID 2924 wrote to memory of 3476 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 89 PID 2924 wrote to memory of 3476 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 89 PID 3476 wrote to memory of 2480 3476 cmd.exe 91 PID 3476 wrote to memory of 2480 3476 cmd.exe 91 PID 3476 wrote to memory of 2480 3476 cmd.exe 91 PID 2924 wrote to memory of 1440 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 94 PID 2924 wrote to memory of 1440 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 94 PID 2924 wrote to memory of 1440 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 94 PID 1440 wrote to memory of 2724 1440 cmd.exe 96 PID 1440 wrote to memory of 2724 1440 cmd.exe 96 PID 1440 wrote to memory of 2724 1440 cmd.exe 96 PID 2924 wrote to memory of 1740 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 98 PID 2924 wrote to memory of 1740 2924 JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe 98 PID 1740 wrote to memory of 5084 1740 msedge.exe 99 PID 1740 wrote to memory of 5084 1740 msedge.exe 99 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 2368 1740 msedge.exe 100 PID 1740 wrote to memory of 4056 1740 msedge.exe 101 PID 1740 wrote to memory of 4056 1740 msedge.exe 101 PID 1740 wrote to memory of 4824 1740 msedge.exe 102 PID 1740 wrote to memory of 4824 1740 msedge.exe 102 PID 1740 wrote to memory of 4824 1740 msedge.exe 102 PID 1740 wrote to memory of 4824 1740 msedge.exe 102 PID 1740 wrote to memory of 4824 1740 msedge.exe 102 PID 1740 wrote to memory of 4824 1740 msedge.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8vQwsH0srLk8cix7OjixLLJ7s7W%2F8DHurO1urq7ssWwu7bGu7H%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5bc346f8,0x7ffd5bc34708,0x7ffd5bc347183⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:23⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:83⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:13⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:83⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:83⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:13⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:13⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:13⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:13⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵PID:3972
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1420
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD597dea8c4ca77cecf7448de9c9a0090c2
SHA185c2382bb8e53abe3ee188e05080056702d800cf
SHA2566e8d7bc117c8c99f5574d858d764f0fb6f5db2d386d911b1d675bce8da7e2761
SHA512a55344b4ce19462729e6b7b9b7793358cadf640004091c3d99bd548ff09b3ed8f3ae2c0d4972284312b826515e86674d4a673101b96741531c3866b7b297d61e
-
Filesize
107B
MD555a5eeea01b9742dc901ee35ecb433fd
SHA17989b368f58e4a012dde6a3848ce4360403ff172
SHA256a9fd716d2b9f81b8b77e12249d142a6de2d6138e0b4fe38ec63a14b0afc692ea
SHA51209be1354b8dc23796c871b8d09b2b275943645d239c7a123ef5e5ebb8db0fe50d64e88f6d85e61ad775a1eab1cdce8ed9ff269fdf48566e25ea3e5501c7b68c4
-
Filesize
165B
MD55e495b0bd34b358df6e9599f0e4e1822
SHA10a796f302515fc55acc3bc0aed9b08e4ce648bff
SHA256b7803d8e2fc4ff20a9a374a7b857b335147a7732364ce22f553b76ce030e520e
SHA512b7d78f57fa599947414b10afe05f5e1dc8e38ffd1730dbf3674b1053da354b5808acc5cd47dcbe3c1d1fa6c3e9a12e56ec71ddb87d4aafa19bd492eefa3fd3d3
-
Filesize
235KB
MD57c4638ec516a0f83abf97ca9e5294e3d
SHA1379c049164b272cdb0ab1581644845fc7c405f14
SHA256ce5f6a79e1b9c88831c52e9dc0a5d75b78cdd706d8ee5418bc552f3f0671c465
SHA5127de72592bab456a48c5c82e1e5fd3371411af727a12b978c12048429834477e59bf3611b4e2380c9e5dfad70fbec3879d17af2c2ccff0eb9b7bca7fdcb0ccc17
-
Filesize
207KB
MD50664fa736f67a69b540efb81748b75eb
SHA1343de97ac1e0c988ce666c9ff0ba1ff3f9c2f509
SHA2565d72e2a90c1c9910d7ce9a8a34b0f608ce93faaefdaa5b16df4d00b424b0bb64
SHA512abfcf97949f8da71b61fda65b03ccbc59f299b8f93b19699510963efbfa7950ff9197aa0f1b24c1087fd847213a25ded5267923e831a1a683014b4cb0b5c6fca
-
Filesize
154KB
MD5016675c37e90e8761aa528884c0d961c
SHA1df6056ed2ccfdd65c27970c40f243d18c7206c43
SHA2565ca7b8b39eb09b5dc2f349fc6d507d34deb5ac926b85997ee0fc6ad4ca69d101
SHA5121afb18453c181d7c5b660306b557d4f25ed9274e6b7c7bc983c72e65601e620e5d2402547c090e199666f39404ec2377f5060d441c5f0639b839b8135b4d3c00
-
Filesize
266KB
MD58e3cd24d80244913dd5e74ad7e2d84c5
SHA1a096cddedf62a29ddf572f94a0671b6cb1c2e4dd
SHA256389fcb02005da287f046b174d1e94fd9058efe2d52e9458c53a2166c99eac885
SHA512d35088a027a057511e71cdb06bea292099fba3ee1e0f94f0aed35c9d953b2a9e710401e364a329f5857f2607e784e99671710fa0ecc4d7821736d65347aa7519
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
6KB
MD536755dd5819b65b1f9e5fe6ee343afbb
SHA12893f8667dda807b58cd0a35f7396b6860db78a7
SHA256c840f5ed02897f1789a021fadf32fdef20a2ccc99e74d61228a36bc136dcfe19
SHA5120136453987fa07528764d1e125f18f3dab43b08afd11f8764eb9952b9bc06727da8a9a9f7b528f30e68dc1c9842745bcf1a96b6af37f2a832eb31978d590a199
-
Filesize
5KB
MD5ac81dd45a39c4f0133f18983ad155f6f
SHA1355056789a1cfa5249d3d900f46154122e7522d5
SHA256cd08941efc49548d3e1941e87147494f95594e96b22b264a7d363f515465ea27
SHA5128fa9f0efd100c484a5eb977982829472da4ef620c331016109ae2d8151c818154e734f3f556d15effb6aea947cab78752fa5c7335c3fb649aea821ebdc07c2f2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d176e37acc6bd6a61deb0dcd122d0870
SHA1450fbb36a3b0038af6051ea18f29de8638b80bee
SHA25683c6cef6b1c134bbbef482e77d66f214d0706126178f7735ce394cc66d7c1879
SHA512948668bb7a5637a4d3120cd997f429e4b16b683b86c09e61ef2589aedb7ff53b231378c2d1c4f23a4fdf8ff6549b8294a205df3688cfc226fb2ff68ff192b252