Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 12:20

General

  • Target

    JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe

  • Size

    2.2MB

  • MD5

    c7a1ca0494dfe29af1bcda95bbba62bd

  • SHA1

    0655e57ae451a5df2a3cdac24a3c12cea0a352b1

  • SHA256

    170f244f5040337b0c5919e3fce1f6c3d9cefbb6ec05531c3c92ac501a1e92e7

  • SHA512

    1fe05c8af2fdd76837d6e69cb2859d056b172e3e5b2571ed8676fda299f9f04262152a618828bc96ac7821cd0d6a266629cd5986467d1974654a62824e82bf56

  • SSDEEP

    49152:++7plv3oZz1m/WOVwPuNcIO6QOnIqno7IJg9N2AtI2DON:zpp3oZ8eYK+QOVnMIJgG+I4Q

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Program Files (x86)\Gamevance\gamevance32.exe
        "C:\Program Files (x86)\Gamevance\gamevance32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2736
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:696
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8rHwsH0srLK0M%2FL0dfKzrHk0uHL%2F7G7s8Kzs7K3tLrHtrqzwcb%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1440

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          95B

          MD5

          fc384ff7e53d059d8f896ac0e0cb7154

          SHA1

          f0036a4ba7732e258151f661d1441be4b185bf62

          SHA256

          7810cf62a304899d8ae93d8078dc66226aceb5f6fc1395a687fd7aaf660694e8

          SHA512

          37fd4e8d7fb428fda8eb84ac8e233db170f1c68812a5e22e13fe105f39391704bdce9b447438cfccb47dad7316d0c402cd46532d14b416c59efeeb82a6236f61

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          107B

          MD5

          d323db5135cf6272a602a9f3ac1f5829

          SHA1

          a059ec65f7a45fb2b98aab00386d28b8bcee8aa0

          SHA256

          f96de2c4d6abb48f74aecb048ef9675d40da7e43666960afc22330be77725acb

          SHA512

          db88ed4404b8156ca192d6fd4fe2c51bbe3ce225764851cd5e6ca02edac0fe0981575112cd905c6be48624f7abaf06709094299c171d671a68638f10baa6720f

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          166B

          MD5

          4d3feb43ed328e6f3d24cc8cf92e461a

          SHA1

          f4bc06928c14037433b02808d3d6faeb57acac46

          SHA256

          ff5b33bd6359c9dbd71525919419c132ab64eec252a43845019ddbb3c6f6b02e

          SHA512

          83635ecd89c0a45cc925f1482834b21d485c343b6fc06429d64ff4bed3857c5c419050eb76ad2faf4b5451ec4da9af31ec3ecaba9320a7e04a8aaacd8e8365fe

        • C:\Program Files (x86)\Gamevance\gvtl.dll

          Filesize

          269KB

          MD5

          43be89de704ecea3000c6baed53680f9

          SHA1

          7847c83377f5cae6fc4cc5cb8335edf424598abb

          SHA256

          9509317f20ffa2b8451773c3a71af1e1148a0f66f8a00af00e97e03a8379183e

          SHA512

          a096e1092f56b1cd4164883e9169d53ed5f3a133276a2099fc3ee28ff1ea2fee07dae619fc488bc73d79e09f952173589213257418bcf4a57e8793e7c9116e09

        • C:\Program Files (x86)\Gamevance\gvun.exe

          Filesize

          267KB

          MD5

          09a266a5beb4f75e61e866dd21adb9ea

          SHA1

          4b0ef3d3ccfb54116aba706b281ba55ab6814d01

          SHA256

          51e0a1f158476630a3eda0a4add10e5916154660b2e0dc043de38d992963815f

          SHA512

          14f311ce1510a96937b64b66b4c30832c6a7c5ed8ba27d1dd302360ae5ef0f562e10c0e1b5bf2f5afde1bf8fafad32bf460a8874ffb126db7e2fd8417f362bb4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          68433c1892f316d5f9b3e42664cc0dcd

          SHA1

          2d5a56137f2047c540319445b8038471a589034f

          SHA256

          4edce67bd91e528f0dc0ad3c6bd0682018e1c7e002b08b33ffa5fb155dd6dff3

          SHA512

          2f98d3533600a0b2800d445bcd0daa0b920bd1b472fc3f14541528a01f9598e4e63de0ba5ca2cc0fe586da033cbeeb377da01afa964d62fcb659a428895e63c7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          dc92968ffc79a1b05501ba24bfdbb095

          SHA1

          44f94b7d32c75df55bda4eddded6dec9c9cf6ecb

          SHA256

          3f8bc6b610969d35facacd20d441e9911415c5edce19849ffa05a5c245211016

          SHA512

          ed5cd05ed069232f247b0adf8bf78cc85e8722c1303aacd01599c1dee4b39b22625f26fb6074112bce2692642a4400eae8fe7b93bbb4e60392f96390deffb100

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          16e56a75d521c6db6aa3b752d78a424b

          SHA1

          955ffa3c00f73ed43418f440c71864e2cc5bd23d

          SHA256

          b5a4c8649471b8203ff28864c62fae6bd31e1e2d22e57a38a92bc0cce7c13151

          SHA512

          fc0de0b75e5ff3963e19e4cebcdda6dfc5ad8771cc1d7f63c26bef4a60704af28be28894c304000ee220138fcb9d5241ea0a3689aada5d50b77cf5fed5fc3695

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8b07f58b8669227dec46ef032ef194b5

          SHA1

          1f009af4fc542a61853df3430b5a92ef0e27f78d

          SHA256

          790607c412dfff4d7347f9c195713207d588bd6c28170674803f52f43e3f0af3

          SHA512

          1a45bf00e29279ed9c2aec43646e1fdacf28cb47ae6ec86d8a808ea19ad74245404e04ae2d3f62a7fe977330f8607a0e2c47397442c262f40a91caea74d7ab74

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          93815afb11c2ba960067c84a00860047

          SHA1

          564b723ebd406d8525339f033582a3fc20174589

          SHA256

          0cfc8b2fc6f7bea140f4d48fab38f8dfbdaca6ceda18f121b1ea19e6c9bfb6c7

          SHA512

          6e685904a6ece4a0894f8be0de47fc6feade0ded93337098b54b7ec24a0f2fe779f53436724d405c10690f4d9859f3f441658426db4a84637d6a212c8ab6325b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          44aa258775084489ee8fc000e1a3abf3

          SHA1

          cdb5f7eb8f965bdd828505bd725508b293b1c39b

          SHA256

          0b59413d7b29132f70036192dbced90d4bdc1784565817280bdd2aa07e9be251

          SHA512

          f92a3a3010eb8d9da0a6bc3b489e866d0f5729d6891d7304203cef38d34340fd4fb5366a1bdbd2adbcf4b361d8eb1dce48116679f42f0e788db01607f63228e1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8f43eb39b5a119673cfcd32411c594f9

          SHA1

          3558e5d25fdf02f31f07237481b6ea071157fd5e

          SHA256

          ae10250bd0c0b4f56f0f8710c33cef91de73a3cfe1e55f655bb450eff9c1a787

          SHA512

          8569fd874ca9323c9e52e18ddc287c13daa623452bf33d7fd0299f0e4e3a2c4ecc7d72b073dd62a31a0c557c6abc795afc921b51bc517450ad006ab435a6537a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a26da2687b5b6ea182b8bd5483248807

          SHA1

          7c91751f9b9e790a72e53292ec85e54dcf152cdf

          SHA256

          94af59a9b303c6575b6458ef2c306b032838015350fbe26a5067dc45b911804c

          SHA512

          ab00224bf648cd4c784da5dd9ede63aa6facebaab017e7cd44f647990be242f1dee109bd27a7a9b800ceaed0e4ef259115546d9d850d5a6fc14f9544fcfd5fc1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          159230703b4391707d9cd5bfbd36b549

          SHA1

          4f873b625e196590559fde6a8fdc368848fc334f

          SHA256

          0bd3389494ac3623faedd3cad771eed910ec9f4c139f52a7947e972bc3a27b9c

          SHA512

          892b474a5861572edf085508599f5521ccb63e1ea884f2be03f0f1a4c74ac48b9a10eafe0410ad360e5d5e5465bfdd5e0bbe7687d4b815635f41557d86f954e8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3fdb935a06e2ea5a7ea20c9c3869b7fa

          SHA1

          d2d62e26fedd304fdd5da09d1a58b12e5991d1ae

          SHA256

          e37ce8b7d9c1d5032b217123822df02d5150327a83682c4b6147e43246d71255

          SHA512

          2ca0f1a1569856e5c032af20df62ab0283b1dc98ddf122171e0f7b0a68a9c002cf3dce0728ac54dff5e79b511e990fe963fc60bea92d8195a0024e2d54a5f4e1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4197a5695887f26107203fbf817ac0a1

          SHA1

          d5d50e2f2a2e3354a723ad51d6a12d1d03751e6a

          SHA256

          3c93a2975727b6b2915fb8162877d013402b1ae2fc02508fd80019ebcf91145c

          SHA512

          5c5f1cf1554e42b639f88e38f10e5370b78bb1c8d66d49df261d1304fd64af6a78237945033f211e662470401e91f9f62ba28875c90040514472304c178a4af6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0aa00ee6a7905d59232dfae48f68444b

          SHA1

          fb078e6255219b6c0cf38dca97bde33182c03459

          SHA256

          827e7cfc4165ad5743290e813612375254243dd820f35540f40dcc934e210d59

          SHA512

          e937f36c3bcac4cdf7787f0646266862c1d2defbb72356dad8645eecc8d583c6f50241e96f4f010c160c050eeb20863bed3e34eeb589e4639513650169c9ab20

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b396e04aacc743d27b2cb383222b8578

          SHA1

          bb40305fadd166f59e6b0c1a3c59148d6aeb57b3

          SHA256

          279ffcf532b432ca875026c404388f06e76bd806dfc9d09cb2359c4a5acd83eb

          SHA512

          abb9cff77c734d813f3a6cabb8003042361f98f7d1b588d9ea01be41305b592c9c2eb2163965c18acfbd9c38c94eef240dc485525e9b4336955f6887900144df

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3eedf51bad286bb871270c5a69c03fbe

          SHA1

          6e41aa169ecdef0411d5a1304747c171c6e9e5f4

          SHA256

          73136c10be0ca37de1c82b71a32603187e6525c132cefc0f4531c90048385c91

          SHA512

          70d07099b820629218c1efc5659fa96d8f419b970ee72d4873b7682709b1e1b8711bdd03527229b3cefe30f046b756e9c64031c9b3a72478b5dab53a4074552b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          993df4f64eab2c8e0c20358aed6a47f1

          SHA1

          c2a9e18860cb599d838a05f3726642f528421e5b

          SHA256

          818f917ec1a2063b020732d6d0af684ad12eff2cf10fd9ace29ae60c47af13eb

          SHA512

          c21397874e07e689326fde184cce6acbcf8c9761d05b3d00c7d89394121d48f23150912b352ca758b9662838992f40400dd8cc241ae2ddddb139bdbcb0d9badd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          83c5539000f810e073c06d8c99ea89b8

          SHA1

          ac271772366136a3462a8d7ea710b42f2879776c

          SHA256

          d21c1c666421b4e83ee5f06f90c344f0b0e06575bba08b96fa83b0e20d1c5788

          SHA512

          0e6bfdf52cdcbf1785c3950beb031ed4b0a56d0de67774218e365b2cee0b6a5d2151409e29f3f29e90a8817fbd77233e7a672bc81419bdd0702dd53c825785bf

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b9b579e1e196451c33512416b547c577

          SHA1

          bc66a99b56cae4c55a3f7b5a8dce5001ef9a2935

          SHA256

          b2cb0345b345892e5ab3e2082f263a565d5d4c4aeb9e4740dbab0225e9f5e176

          SHA512

          c9eefca574bc0e91449d0caace6e5a898426aa491fa52aedd70e41cbff74684bbc57fb923cebe0c74a49bfd1b45fdf3e8beadd80e46126c51641fbe62327c86f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8dcb4c006582d20761db1adda59dc8fa

          SHA1

          f99172c187e8e51f3434ee3fcca2349f7f1016f6

          SHA256

          d9cce782a180d435d68e0c4505cad0211ac493987e7b1143b7b778c66eb92223

          SHA512

          35bdf2d8446fa51ffaa9d28d80a05f8a4daf6a5623d50a2c88b79a3014d07f4e61cadae162e3bbd1eb9214aace725df54b00918f355f9a06f09ad440bd1cefc1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9dc7055b16095c13cacda7264f81f351

          SHA1

          22a9be2342f1d00f6e1be7bf6a493f60c71ccca3

          SHA256

          4a9f3e36d02ae657020cf28fc3aa307059f72e5e17c85a0c5e2a23012f729e0f

          SHA512

          b7c7c047d635dbcb483d0fa6c1078421f1bee63c00c007ec987401a546f8eb9c534f1d26368be6e77c8a33e1300917ed031b148ed9102534dac414ceb5715fb5

        • C:\Users\Admin\AppData\Local\Temp\Cab99D1.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar9A91.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Program Files (x86)\Gamevance\gamevance32.exe

          Filesize

          234KB

          MD5

          2d6cb47b2aadf2d7c5fd2f1559938157

          SHA1

          ca4a51904662d7482a24dad09cadef93f7a418eb

          SHA256

          c788788f1b98d94b8fab20033950a3336cb1eb8050bc0adb02ce88ad94de1abd

          SHA512

          8cb19ef4388058cfe4a2ce53e2df411fbc91523ba669bd757bd4429c45b3499c36af57023624ba52c041c1ccbbafdb02fabb44b08314a33457df7bf11b76f06e

        • \Program Files (x86)\Gamevance\gamevancelib32.dll

          Filesize

          237KB

          MD5

          48cefc371ef39cf96d3f37cd0f70bd5d

          SHA1

          d3d75f6398ea4d7bee64bc7275aa74e142f7e092

          SHA256

          667a92f10015a29a5126360c9ad031b71de302eab6cc32598eff17652a5ce1e4

          SHA512

          beda67d9d445f85e04fc1d3b3fb3d31bd19b0f89bfd0a5b4b0d211e27f6b9e1ec95990e55e1268d622e344ac6395b353ba2b77ab7ecade2bfc1ab3b3d0eae796