Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 12:28

General

  • Target

    JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe

  • Size

    2.1MB

  • MD5

    c7cf059aeb75b6b322aa6e214f6ecedb

  • SHA1

    d21d65268b7c6844545c0cbd870e6d1fc278e41e

  • SHA256

    a02dc11524f2e6861d13e1901635669e6d5b49e88996df84e9c0271cc8fc88c9

  • SHA512

    86e65315039134f338ce0dff0c511f02f51e683edaf22d5c55490dc72f30f992319ef803f713c2be88a02951b6abec98c20fd6b6b8af032c00606445038eeb11

  • SSDEEP

    49152:LejPDPnwqB4WcAssPeWZLkjhVdSV/zHQiuxR+vSXkzbgXwRV:yjPDh4nAtkvOzHQnxAvvzbgXw/

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Program Files (x86)\Gamevance\gamevance32.exe
        "C:\Program Files (x86)\Gamevance\gamevance32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8uwwsH0srLyzfLi9PPlsPHq8Lfq%2F8bHxcbCssCxurW3sMaysbX%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1656

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          95B

          MD5

          de13722e53a4d128d2109aaf940f364f

          SHA1

          c308930b84b27153a8b1e5ad346f5bbcd09cdab4

          SHA256

          fbb3dc61e44330b0f09c1ff65bd1e41a2e765e5176b3320c3c47983ff9e786df

          SHA512

          d4c3cd8ec57a987a6f3ea6ed6d3e6216bf10842896667ead7f193c89d6d0e11ae05f8cc7797b8faca5fccf96a93f6c15e1b8b8791c8f925dcf55ec93b74b556d

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          107B

          MD5

          5f915fa9a4bbc0f252162fdaaa959ffb

          SHA1

          d02b52916496e645bb38746592c5f3907f52407f

          SHA256

          b7b77efde0be00f3a36026f6b46d275f346b27aedcbeef6a3d56ecef779f8886

          SHA512

          9e6b140080fff7c4ee10a4504cfb3134702244bf6830eb82be94f657337ac861a6f42bbafd885bbedb37166c71e700a4d4767de08d5b7b7c91c93a5726653b9f

        • C:\Program Files (x86)\Gamevance\ars.cfg

          Filesize

          166B

          MD5

          f60b17c6b8c77ffd5c4865d1cb640bfa

          SHA1

          4d2ac85f835c842e661b806851be356189787913

          SHA256

          3723bdb6aca990db233d263f623f6c9c2199243d0fe0f91569bb9e2c2ab32921

          SHA512

          a8c6dfa56d45a0e0094a1c4722d4e23ea22129f81ccc8776bbc08f3b45ab4b16f7f984f2c7bf6deb23d89b1d000133de3bd3a9d9c99ee120eaf285d7ac4c9c95

        • C:\Program Files (x86)\Gamevance\gvtl.dll

          Filesize

          264KB

          MD5

          11f314dd3f2065861795dc2fc87546a7

          SHA1

          b55f49ba59ccd222ba66c23b49658bf95a59ddd7

          SHA256

          42875bb3bd897c426ef0fe844dc67a1d580be23163fa041cf22e3116d468e7c4

          SHA512

          0a5d1ee83820df623d3244dcb912262506cde1136a31923fdccfd233eb72e329da4877ed25d1d72b47b988d10a02af6e1d88b706938c09b59a15f3b349d9e007

        • C:\Program Files (x86)\Gamevance\gvun.exe

          Filesize

          259KB

          MD5

          b126603ec41fe49d06066c315fe047b6

          SHA1

          1c7b5521e15cc5c9bb07baef0983f84a0533f1f8

          SHA256

          9380d43bec215da1be7f88586154bbba40bfbdca0088d83cc216570579292560

          SHA512

          061807cc6c76004e04a4f6ba88bb748f6d33da1357d890e5d5637d493843e8320c34709de1e8b0977cea9988ce6edbf9d2348b8f52bade19d694860601f6b3a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e8dadb5059841394f6703ab595b75b22

          SHA1

          fc8c06b1320573ed4e45039c8da80f288c66103b

          SHA256

          58d018868979319abd7ece4b9210fdd4f7c9c05c0760c4f4d5cdef8c5eeaf56a

          SHA512

          677aa5c0dfb89d6beee75ea2ce0f5b72e0d8f82ebd9751a747e85761e634f2f7a6e8f416325f74ddae67bd2515d616e87ad75499a731441869bec94198f573a2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          edf6634c083ed9672eef25869fcd6a9f

          SHA1

          6c52daf8bed0a33886cdb9f3083855a12b4c06a4

          SHA256

          5badef74a057b5fdecbab7314fca328f8a416952ed0db98588a0f4954e6099c0

          SHA512

          a1ccf05040f1a7898d691c8eb06798d0d030b417d513526bb0ab1492b4e9b462c1ff001575f5d2234df8d4dfc9dbc229407879bdea93acd129e6b2ce810d2f82

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          81dd0279e0fc86387fdbd38d00839d29

          SHA1

          c2374867007f582dbd85bf86f0283cec18b4af0c

          SHA256

          a3dff755f4fd72bf8716e45c9108e87e2f0b9b77c92f513ca715a294a7787b79

          SHA512

          b5ede2c2d281702c7128b614826e396d0f3a8e214934504ee49f59333c27fdd78a1666f3c2119a68ae88ec541dbc713b38b8bfa36cabdc6fe078588fe84e4981

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a147c4e45b23b800dba076e571a3f51a

          SHA1

          8e913c7e10bda6b8d0e31db845215f027a025a67

          SHA256

          3e66c20d2bd317bb6fc6aea879b5435edb3dc18832e260c15e19a8dd8cf71101

          SHA512

          bf1889addef8fcf26d81acc0382b0df788fd6df0faeded12fd16ca863e071507d4faefb64f0a58ead442b384fe28c74a36f243a8fee9dc90a2dfca02e759dd5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          12e319b6eb1835a922c10e3473546fd1

          SHA1

          ed5b95c4af858a14a808dd105c6cc92cc93b8a26

          SHA256

          676f963da9434b7977ac281ae465bacfa920704514ebedc7f5012a333ab9b507

          SHA512

          f038621cffc01c4ad304f9b009217f9de40c3cd9ef86380f35ce7921d63636ebd3c6be57ec82025a1b6fe3ed63a770032604b6de556016fae072cd50d9b11879

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7c27a9d706ae5c85988060f936a63cb4

          SHA1

          a29fa36cb305f18f9f00dd3f8a4e1f8a34e5553e

          SHA256

          1f665dedca0b6ca62c7461a6868577166707cba7ed2fc66b7cc760eda0129814

          SHA512

          feac36a58f4ec6de7dc9ad3a4dabae96f8504a314848c0d9ff60d2ddfc853ab028b5a4c260a6b1fda3b420e27c6c0cc3d424429c9f5693573de92be76b2260d3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d8b5a8baac26dfcc0d87731673778d80

          SHA1

          893a23e311f503ec75203ee0cd67ae3bcedc8aa4

          SHA256

          11c1845d561b341196df9bcd04190df42483d288c542ab1987a23a5ff2c98c93

          SHA512

          8e9473eb9b96f18ee81fabb336eb31e2691df0309de3e5d34caa5668e9e80a9b8f621d41f9d4544b6686c5ae5d7fed31fcc14081d0a8d857ea91ae498d33134b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c799b98cd41ceec61660d28b6d4f940c

          SHA1

          ea06ec5571d6edcfc12c9f15859557922b30c0d1

          SHA256

          a9d4f4b87793aa9bac85240f69af3ea7ab1485e4e748ec5748fdf71e8a57930e

          SHA512

          c0608cacfd189294ac4ff5c9a55559baedbd411d1aa6ca09122d96601f9d3a21642ba6ff35b94011597e67a1e927499147fc9bb5a40e231ae91aa6f5bbfff1a4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          41768bf20232dbac263a37cbef52746c

          SHA1

          7a0a092d83862bf5491d2350798b4321330904d2

          SHA256

          58c9e59c891b3cf5fa9626a74ec90fcca39063d7d861cd32eba29bac79210aac

          SHA512

          c4c748b67249a3df6a8bafd988df4171653078f23ebf1d60898e25439a1b5cfec7b8305adaf3fa2844c8dde988163c5937d9a81ac553b698e13dc83637f7e637

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          33e3cdfc305829a44047d90b976ed7b7

          SHA1

          2a31eda1ff81307ae570a5ea061e4c18f7e41c51

          SHA256

          e0681f77c353ad43aced9d5c74892d9d6c2b42303aa28ec9280165922999be2a

          SHA512

          1ceda7abde834e8fb28ea143b60a025dded2814e2d88cee7416a9a4bcd9a4b875ef348d22abe7faed5fcbbf57ec179beedd4ffb610c2eccbc869c354e2f536db

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1f3cae727767ad1c508d58c15f1b282e

          SHA1

          ae180a3a2bf356ac026e058e042fc7a2b8e0b715

          SHA256

          5918fe9abca30ed371a7a60ef08b344ba2c30621a888a0d66dc83381635d37b0

          SHA512

          6c59ce5f5c94e9b513ba22dc007587d941b0fc0fede6353b489db9531ae0a3724e8f55b950b4136c0dd7c41e013b5bba67fa21d3f3a9eef861dff762cd0b952a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2a7d5bf5e314ffa7fa28fb64f86837cb

          SHA1

          e0f3c2e7b9087ee21fc2fce21b05d11192acd191

          SHA256

          f6153f1fbe22cd7f4ec0ee306f3757ab415583229229995a45aa11285f5eb735

          SHA512

          3318c74194b28987e0126a400a4b38b2517f2c266a631a4c1e75367aeca2151be6d06d89db93cf5fe1d67ff4c3d28f5f0d3079e6f550ef946717ea0c0209fc24

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f64d16a2c3b26cde781eafb1a1966062

          SHA1

          3ee70016f76e697552c1b036318d4318ec5365ca

          SHA256

          925bfadbbe91ac66770a6ace50f5d71d2fd1b4d34f9c6230195322ad7b565182

          SHA512

          e24c92d6de5d38d12210988e3aef525cb60fe6d4a4ea0a175c327e214ffdd26c2702c247e880cc8064816cd26af38a4a8e9d4524a8b2f3101b3fc22647f737fd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          19ffb5c399ac882c03058686313fe6d9

          SHA1

          32b1c7261492d66c45ddbce8790bf75b10908ba3

          SHA256

          4057e61e398fca6dce89d66658ce360b8cafdb955258a244a1de9fdd64c9f4ca

          SHA512

          4841d3fce76c8db08e4ca6df77f78a558e2ec1e7d5e62be4df3bd5578cd812230190bd2d59bbafdcf7937989862a8186299db45fe422ea4bbb546bb1f92fc9a0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ef87196e3fe1ec3f9ad47b084e30b811

          SHA1

          ba209bc0653326f7d58239e1c20f7623e10d3aa7

          SHA256

          e09dedf70d200ae399a0bdfb6468adc4c94c5ec9f32a189c9bc7e780cbdeca4b

          SHA512

          0a24eab4267ba0d27c4fd055226dc5b6cf1ea19c244fb925932fa3169c839fb8ed46578a9ab13d97aa68bfb082d8af3e58c29cff68985f43074b44cb990feed5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          16b9be40c3cc40a2702aa779f18e7b4f

          SHA1

          7ad38be125652615632c23e4acfc785a5d1b4ba3

          SHA256

          d594ddde478a6042ae27e7718d9e40aea324527b65921e4b66e4d8a1645f15ab

          SHA512

          01c81cedec75a03ce6126303cd53acfbd1d9212f0a2b7331f5b98e801da04711c5a0d99e3321950cd82384108a77a9d911e8f250b676bf1b6cffde5017e79243

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          cacdce597d48556b7fee4d7d41611046

          SHA1

          da965e19a1687f7fed7930a07593e188bbff092a

          SHA256

          1403a54613b3de28ca98f5a43f19e76961111bd65c9a5abe3ea2f054d7f602f6

          SHA512

          8c34d053984f8b3114c9fd380c914036b30af807532a5c4b4f24e0ad3e9e7bed35046c7599e1da81a2c0d80663ea4a82c9fdf00d536104855f8580df4b83ae87

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          52f552dd947a49b2a1c71381813cff25

          SHA1

          ee3614ae501543320fa060560634838149c5d667

          SHA256

          3e96cfc966cac7497123b59f230b169b8681e818219529894844a3c7a26727b8

          SHA512

          07a3eb15a4263376a0f070ca4f5ee56c3f085a9b48246859aceac87300050aa0069c5ccc5a81475bad79b33964858ba289067755bfbe656610d3abad0ec1b4d8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6eef437c968fbf401528577c0711a3aa

          SHA1

          5acda9e05288675b293a36cc9060365df11f419f

          SHA256

          94a1a6e8adb29b15719db62da75c92c3c51112388f0e08530012990cfa330168

          SHA512

          8b7f42d83ee0232be9b2428adaaa96f81ac0fab8d367f2534ad32dcb07029d463946cbafa1c75a5905e492f2c1d68a50fc0007cd1a6384287e88920f224ea08b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          64de55efe026a3f10132783a0c8e669e

          SHA1

          01a3bf9306835ce8b6c9cb0c47eaf24101616d44

          SHA256

          d84f6575f708c1aae890b4cae4d7281bdcac8b25e80c8919acf3f02eca29a72d

          SHA512

          c67fcc1503303e9874b705fa6a8cbeda0ca0b39a212fb73421ca218215a9c9e41b9f6c6d8bb4699ceb9b5455b7465829a8e681f9ea20fa1a044d98103821b1df

        • C:\Users\Admin\AppData\Local\Temp\CabE63C.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarE6AD.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Program Files (x86)\Gamevance\gamevance32.exe

          Filesize

          232KB

          MD5

          fceda117399e71ae8e85bd46e09f3e0a

          SHA1

          27acadfb7bd37cc8161d80fdd2ecd089eadc17e6

          SHA256

          f8c1d9eb73704bacaaf165c5185157c3569ba65f39b94febebbf00a1634310c2

          SHA512

          3523e57fe7913c1ccadf1d112cf2756c15cb9717f3d0ba84187b4b53002d436b37b7fdb1da972ec4fb9cbfcbbf8b732829df873c0c52af040db2792a7052e547

        • \Program Files (x86)\Gamevance\gamevancelib32.dll

          Filesize

          230KB

          MD5

          223a60b6e30a8689e4334acbf5ff7345

          SHA1

          cdf69582add5d78ac6c8e79c868f1ba2778f8142

          SHA256

          4deda894563aec2cb53e537809012a1db6c057c549009ca3284290f2926e3863

          SHA512

          d021b2d78311aecce21adcd110a35e91a76ce564c8e8e7477a0d9de428deeec0a0839272d464839c958d9d5dc4dd97369d5a7d6a32e71b85aee8ef4d486af376