Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
-
Size
2.1MB
-
MD5
c7cf059aeb75b6b322aa6e214f6ecedb
-
SHA1
d21d65268b7c6844545c0cbd870e6d1fc278e41e
-
SHA256
a02dc11524f2e6861d13e1901635669e6d5b49e88996df84e9c0271cc8fc88c9
-
SHA512
86e65315039134f338ce0dff0c511f02f51e683edaf22d5c55490dc72f30f992319ef803f713c2be88a02951b6abec98c20fd6b6b8af032c00606445038eeb11
-
SSDEEP
49152:LejPDPnwqB4WcAssPeWZLkjhVdSV/zHQiuxR+vSXkzbgXwRV:yjPDh4nAtkvOzHQnxAvvzbgXw/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1236 gamevance32.exe -
Loads dropped DLL 3 IoCs
pid Process 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 1236 gamevance32.exe 540 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4812 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 82 PID 4740 wrote to memory of 4812 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 82 PID 4740 wrote to memory of 4812 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 82 PID 4812 wrote to memory of 1236 4812 cmd.exe 84 PID 4812 wrote to memory of 1236 4812 cmd.exe 84 PID 4812 wrote to memory of 1236 4812 cmd.exe 84 PID 4740 wrote to memory of 1340 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 85 PID 4740 wrote to memory of 1340 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 85 PID 4740 wrote to memory of 1340 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 85 PID 1340 wrote to memory of 540 1340 cmd.exe 87 PID 1340 wrote to memory of 540 1340 cmd.exe 87 PID 1340 wrote to memory of 540 1340 cmd.exe 87 PID 4740 wrote to memory of 2208 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 88 PID 4740 wrote to memory of 2208 4740 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 88 PID 2208 wrote to memory of 5000 2208 msedge.exe 89 PID 2208 wrote to memory of 5000 2208 msedge.exe 89 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 3496 2208 msedge.exe 90 PID 2208 wrote to memory of 4996 2208 msedge.exe 91 PID 2208 wrote to memory of 4996 2208 msedge.exe 91 PID 2208 wrote to memory of 2496 2208 msedge.exe 92 PID 2208 wrote to memory of 2496 2208 msedge.exe 92 PID 2208 wrote to memory of 2496 2208 msedge.exe 92 PID 2208 wrote to memory of 2496 2208 msedge.exe 92 PID 2208 wrote to memory of 2496 2208 msedge.exe 92 PID 2208 wrote to memory of 2496 2208 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:540
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8uwwsH0srLyzfLi9PPlsPHq8Lfq%2F8a7tcLBura1tbSyt7TCwLr%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9afde46f8,0x7ff9afde4708,0x7ff9afde47183⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:83⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:83⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:83⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:13⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:13⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:13⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:13⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5276 /prefetch:23⤵PID:3668
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5024b74eb5bdbf2e9063f99b9fa8fa64b
SHA1bc9208857bb5c84f070f742379f0dbd80cd0a122
SHA256e0bdfdb3ec764e6282bb557dd9469563770995cf358689481b2e3c6d9c0d2f9d
SHA5128e4366a01945a6f1f1fd2010ff9462f39dfff028f5cf42e1af04becd2ca87d3fc90e556b5b2c5afa11294684150bcf0cc477733495a8ddecd5b730e1fd7a21cc
-
Filesize
95B
MD5a05d51c08dc6ac2f2e63437cfe732c65
SHA198ab2bf23d934745e02fab15bb6cf09a245e92f7
SHA256c2050c07d4b5e729350d8bc9592ca94b758f90449b63a5cd869d56cabbf0eb10
SHA512b3bcb17ca94cb48eebea2a1d548375f6537356d903f71be7af51b2229ce9dba62918b87b64533fd6a58b0712c4aac8b97fa06947fa2dc9a1a8a00daa130975f7
-
Filesize
107B
MD5cbcdd305c8deb1e8eb68720493a405c3
SHA1d6a83635866e077dcff2cdab1ade3941665e1c81
SHA256a20bacff4b42e76b715e47a56270513e4755e126b24fe15d268d1efe0263e723
SHA5125707b1b7d720bd1bbe7b3b04b5bb11058428c05b325f8a98b4b7e1d3c59cb64b3af5ba926bdcdea3dcd7d7fd86488053946733a28f9a2a69340ba82fe9235294
-
Filesize
164B
MD588ad61547ce8e9b53ab91dc230cb7b7b
SHA10f606deaba8dc56641ccada52905effa4b8e3636
SHA25631dd65907f086d590b10fedcef1c45b11ebb344a2e7380e9e4c4ffa8c4a67fc9
SHA5126beabfb07d7d77805b1c099b20ee34ea443596f1f2f0bc9ee810cf752cfb77a0b05f4bb882a7b4b12ef02cc5e5398742c2925bac706bdcf15231ab43c6abe5b7
-
Filesize
232KB
MD5e5f579a3df3eadf404c2b5c5abaf0ac7
SHA12dec74baf9ecc106674ae51111bdefa2ce351504
SHA25695d3f0fc59d97e2ad980ce791d62923540d27fb433a82d2c0012b6a7ef1ceae4
SHA5123cd3d4aefa733ba1983b4e2f59b5ba948abbe236fff6c74a794c86d4b8e79d41ffd011b296239d77c67019d6b2b1fdfb6dcc088566a09b02edc94ffa760de08d
-
Filesize
230KB
MD5f7e8b98c9b0ab72766c1115006f82bd4
SHA149b78bd54501e2e3affb2f5822ca6e4c6653cf20
SHA2565ebd587308ea604f8ea743d3e3042efa8a5af9c48c99fa1b2d9eb4b40583a62d
SHA512fc1df14ac0a1bc7a8442e18d0c73c3510853ff6e5f0141f71c5eb9a6bac23a3e35866ddbf3404c8c993ca4b4335fee97688aecdf1941efad9d3a757a9921ed02
-
Filesize
264KB
MD511f314dd3f2065861795dc2fc87546a7
SHA1b55f49ba59ccd222ba66c23b49658bf95a59ddd7
SHA25642875bb3bd897c426ef0fe844dc67a1d580be23163fa041cf22e3116d468e7c4
SHA5120a5d1ee83820df623d3244dcb912262506cde1136a31923fdccfd233eb72e329da4877ed25d1d72b47b988d10a02af6e1d88b706938c09b59a15f3b349d9e007
-
Filesize
259KB
MD5c3358024c25ce2d2b9f9d2d92d961358
SHA1b3d82b21db79364db25af0c7bc0ee01aab022302
SHA2560f4a97faee0aa2f896dc89e88eb95ed9a427f5ff374a734ca88e0e2574d30a80
SHA5128cecf4bff3882ade46fde1d3e2593895133bc1d21d6dd6bb2dfc5a8c5ddcbddf496e971bf92fd498cb1142485ab9307a2752c0c59c71d29a889e93383b93e7e6
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
5KB
MD576e5b2f4e5d0d9a86de3fb1e447ee7aa
SHA1a595317a407125c4a69ba1daf9ff7ebb8086b746
SHA2568c383650892cee63c66cb92d2e31aaf98c180d5d11a5f5348239073d8cd2912e
SHA51281db7bf56b36ea06236be91efdd26ccc52a8705968d9f393fd4223165fa914e5d8b8ac8dfdff85228c20ec0a1f2591b3b40fe0cdab5de38268c372d875ba7bc2
-
Filesize
6KB
MD516f4d18e6a9e71b99932d1455e4c4500
SHA11548f9ab2a0cbdaa760c233ef09c345dfb2fad3d
SHA25678d20ea1e6f684ce58813253aed40125d2fdc610b426f51c52acd55e576abbbd
SHA5124754053fad154ff696a1c6352e8c88b20e54c04049a59d839daa0269ff3e037b7b90fccf159726baca6697864a67c96ac239beb43e4e7a171be6811d8ad692b9
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5a9723af74a6d91e02f197d6c3426a0c7
SHA1ab0489bddf5c8e6d9ec1ae135a2b717e46924e6e
SHA256464d6dfdc61f47c9e7a727fed6065045401be0074e2597604f8bd860f5950cc8
SHA512130c878269d91f65d61f829450645c0691bdaa1d8a7874961d1b86abe7e306e030d4e673a9a28101a30c1fa6cabe0c78cc003843fac0711aeea742f84d2d2e0f