Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
-
Size
2.2MB
-
MD5
c7a1ca0494dfe29af1bcda95bbba62bd
-
SHA1
0655e57ae451a5df2a3cdac24a3c12cea0a352b1
-
SHA256
170f244f5040337b0c5919e3fce1f6c3d9cefbb6ec05531c3c92ac501a1e92e7
-
SHA512
1fe05c8af2fdd76837d6e69cb2859d056b172e3e5b2571ed8676fda299f9f04262152a618828bc96ac7821cd0d6a266629cd5986467d1974654a62824e82bf56
-
SSDEEP
49152:++7plv3oZz1m/WOVwPuNcIO6QOnIqno7IJg9N2AtI2DON:zpp3oZ8eYK+QOVnMIJgG+I4Q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 640 gamevance32.exe -
Loads dropped DLL 3 IoCs
pid Process 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 640 gamevance32.exe 4796 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Modifies registry class 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 712 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 86 PID 4860 wrote to memory of 712 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 86 PID 4860 wrote to memory of 712 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 86 PID 712 wrote to memory of 640 712 cmd.exe 88 PID 712 wrote to memory of 640 712 cmd.exe 88 PID 712 wrote to memory of 640 712 cmd.exe 88 PID 4860 wrote to memory of 1652 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 89 PID 4860 wrote to memory of 1652 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 89 PID 4860 wrote to memory of 1652 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 89 PID 1652 wrote to memory of 4796 1652 cmd.exe 91 PID 1652 wrote to memory of 4796 1652 cmd.exe 91 PID 1652 wrote to memory of 4796 1652 cmd.exe 91 PID 4860 wrote to memory of 1844 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 95 PID 4860 wrote to memory of 1844 4860 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 95 PID 1844 wrote to memory of 2728 1844 msedge.exe 96 PID 1844 wrote to memory of 2728 1844 msedge.exe 96 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4648 1844 msedge.exe 97 PID 1844 wrote to memory of 4060 1844 msedge.exe 98 PID 1844 wrote to memory of 4060 1844 msedge.exe 98 PID 1844 wrote to memory of 4636 1844 msedge.exe 99 PID 1844 wrote to memory of 4636 1844 msedge.exe 99 PID 1844 wrote to memory of 4636 1844 msedge.exe 99 PID 1844 wrote to memory of 4636 1844 msedge.exe 99 PID 1844 wrote to memory of 4636 1844 msedge.exe 99 PID 1844 wrote to memory of 4636 1844 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:640
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4796
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8rHwsH0srLK0M%2FL0dfKzrHk0uHL%2F7HFs8a1usW1sca2wMe6srD%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1efb46f8,0x7ffc1efb4708,0x7ffc1efb47183⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:83⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:13⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:83⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:83⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:13⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:13⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:13⤵PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:23⤵PID:3904
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3244
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95B
MD5096d8969b04145272e581778f1ec558a
SHA14044481fc9ef0a3806deeac79733f1931461f6c7
SHA256c2026bb54698f690e03b43f86d12c87544f39080bedf5f00d3cac5aa1adfddbf
SHA5128353e256d629bbeb5df514848022c0a8e99d46243acb1fc29ea1f78e0d0fca4eafcfde72a2ac144e08ade4575a2e118b2833db889bb55fd94263cd4f08acf0f6
-
Filesize
107B
MD58391c7f152fa3aef30f2d2623d10ff56
SHA1c993ce2063780587efe14217ce23781cb633c9b9
SHA2563a8dac1977e3e79322fa12584115071d47d3b49372055ab66e295795e10c063b
SHA51265e07d0a81505c16e0fe7c8528de2729a9d5ff08015273f61dbf1e37d0cbc9539556a9b8beab8cbf40e2715186e5a4cdbb0e1541834c4f88d3e9d850c42888f6
-
Filesize
166B
MD505eadab4c9da8f33c3e40ec89d5069f0
SHA1deae813362dfaba60e38cfaf0865eb7e2d450b38
SHA256c77532491f9b46d6552d579cfb78a92fcdceec9a10f63bc3b497b20772206595
SHA512517f5d73946bc55791e0e062e619bd581d0a2a003794db63b7f7cfc6f33da99b02cfbbcc7cdb221bbb8f23f81aafd087b06f5a254fa355caae2c896875f6f50e
-
Filesize
234KB
MD540137d72109ee5740d2fb52b6f088bfe
SHA1b11076dd2f06da894a70f0c7277397a72bf9d078
SHA25653018f61d32adff09c290f282b71a1755b9e9e877e26df3ef6a4506470db0517
SHA512bbfa4ae82cec04ddc5a38be3cb19b1964374fcd5ed554e59a1f41db818307d99422094b4d6c14ad947088b75c0cf7d2003c3de1c5326827a6cb263234f34f59f
-
Filesize
237KB
MD5932741ad52ddae03e4109cc6adf1e50c
SHA1bffe44d33a8291665e3bd35f89839c1bb6e97dd1
SHA2563aa2b0685394046cfaee95a1d2e733ccd26649587de77cc0d081ca1d79f2f4c7
SHA512d76c6232fbf71be866c0122c6bad5275a2953b37e5fc88e53110e0c89a5380409b81caf3fede98ab6e28f7d9becb4c25f213f7cbd972ee9ae127b5cfc891976a
-
Filesize
269KB
MD543be89de704ecea3000c6baed53680f9
SHA17847c83377f5cae6fc4cc5cb8335edf424598abb
SHA2569509317f20ffa2b8451773c3a71af1e1148a0f66f8a00af00e97e03a8379183e
SHA512a096e1092f56b1cd4164883e9169d53ed5f3a133276a2099fc3ee28ff1ea2fee07dae619fc488bc73d79e09f952173589213257418bcf4a57e8793e7c9116e09
-
Filesize
267KB
MD521af4552cda665784f95b1c40fe5f67a
SHA125c3ee1a91723a477db35f61d2cc5aeb1f627a32
SHA2567d9d3c422384052b0cd6737c5c334660946f8ec75bf21f0463d733ee4bfa7a2a
SHA51254d225cba38e01352886c8fc62e8240b8de6aa8beae0aff39578851069e667cafbc5aeadaabaabca60e5767474d57c586e3881cca81f03a8fee7033d048fe498
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
5KB
MD599ac4e8ac4bc92eb93be3568441dec0d
SHA1d3f80b8e00f45d61072e7ec2a88a476e3da53eb1
SHA2561fd1acf3271fb90e9ab64a519c4e7af2bb16157fb9947166302801b4a4f3f593
SHA512dec72ccbfb3956b53890f7e6fef85937e642705e775a718983178e95c802b17bdddf5ad8187083d9cad9106d1baa6ef644fd44b3b4449899164350071f9d0bb9
-
Filesize
6KB
MD5729b88ff541220b50b22bd10c93cd214
SHA12f5c0fdaefee5b790777bc14bb8fb28adf61d83f
SHA256448720f494a0aad9d08efd2a6ea2b6a4a1cd8bd7de35f24bf554272c1560b290
SHA512cfeedaa75e88d30a46271d97d285dc46322eb9990331e2817d133f677956b8c0798fdac522c058703213272b7af90ad5049f3566fa56e929526d8e74ae63bc3b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5451b766250add5d1d9c4f40525d775e8
SHA119ac26d5c81679136883e2d63382cad7f670c8d9
SHA2567c715aea29952bd3b34ed86204986910d6ce149813d0eee781245912e0a24241
SHA5121c8850c2823fb54745b4af10a31aebdb2cf5b9607eb70bd316859f4afb4b7fe5ac5151de42e167509bd0a2b662e79f31f3d9337946920b282c6421b4a9318517