Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
-
Size
1.9MB
-
MD5
d0ad32489cb94443b7c441d455a267d3
-
SHA1
7d8dc87deb71736947d765dbd5f00058f026cb46
-
SHA256
4b8e02e55cbd79b06a6e34dac839cc7f60cec7f5199ad65f1478d9594a164f22
-
SHA512
57e3c8548d3f1865224e170a8b91065229ea7486806005c5ef979372d31b02947b6e9693120df49eb6add641d656b825bad7a620e76fd9c3ec2f02d074fac060
-
SSDEEP
49152:sD8QbBnW5oGvmx4UJASuA4wDinashps9AzV1pCh9mLsvW:LSBnW5d+lub3asPs9S7pcre
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1616 gamevance32.exe -
Loads dropped DLL 3 IoCs
pid Process 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 1616 gamevance32.exe 1432 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 2740 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 86 PID 4832 wrote to memory of 2740 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 86 PID 4832 wrote to memory of 2740 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 86 PID 2740 wrote to memory of 1616 2740 cmd.exe 88 PID 2740 wrote to memory of 1616 2740 cmd.exe 88 PID 2740 wrote to memory of 1616 2740 cmd.exe 88 PID 4832 wrote to memory of 3624 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 89 PID 4832 wrote to memory of 3624 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 89 PID 4832 wrote to memory of 3624 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 89 PID 3624 wrote to memory of 1432 3624 cmd.exe 91 PID 3624 wrote to memory of 1432 3624 cmd.exe 91 PID 3624 wrote to memory of 1432 3624 cmd.exe 91 PID 4832 wrote to memory of 872 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 93 PID 4832 wrote to memory of 872 4832 JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe 93 PID 872 wrote to memory of 1448 872 msedge.exe 94 PID 872 wrote to memory of 1448 872 msedge.exe 94 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4868 872 msedge.exe 95 PID 872 wrote to memory of 4060 872 msedge.exe 96 PID 872 wrote to memory of 4060 872 msedge.exe 96 PID 872 wrote to memory of 1952 872 msedge.exe 97 PID 872 wrote to memory of 1952 872 msedge.exe 97 PID 872 wrote to memory of 1952 872 msedge.exe 97 PID 872 wrote to memory of 1952 872 msedge.exe 97 PID 872 wrote to memory of 1952 872 msedge.exe 97 PID 872 wrote to memory of 1952 872 msedge.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1432
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8T1wsH0srLSyejP2bvG2tKz69TV%2F8awtbHGx7CyxsGwscHGscf%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9849a46f8,0x7ff9849a4708,0x7ff9849a47183⤵PID:1448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:33⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:83⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:83⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:83⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:13⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:13⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:13⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:13⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 /prefetch:23⤵PID:4960
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4016
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5912e4eed4381adb9c64ee177ba6aa7ed
SHA1bdeb17831f237adaa5105ba50558cdf7803b0d06
SHA2562aef5c710664a0b9080e7c7aa260987ded2d8c3bc89f81b020762129dabc8407
SHA512735076084990d3bfdcd66d679b0a7d9be3eed6c933fed27acdd120867c6ba45addd8b09764468e8779e475e31d20b499725dc3cafb965b24ba77836d59fe9f10
-
Filesize
107B
MD562ce0562bceff443bd79c41ca8535864
SHA180589fd72973b39ddd26e6461c4c70171125e586
SHA256c161ec6f362c614ef1d1a29a8d361ee893c60f007ba1174f416fd997bb87d64e
SHA5123f5d420dda6da2eaa99926ad96c6d5d6a76c460ee59c157c5dcc6e74f9b64d9015a33394e62f841a71e355ad0cd0d31f89a1b4fbe83303ec8f174d128ea6f7c1
-
Filesize
164B
MD5c2c08b049ccf6c8707829c0365caa76d
SHA1f456a238d093d9923ad701c4da2f56e0d7482fd1
SHA2560b0266e01f6a10d23fe5eb133079e3eaa34473c174a84e4edb07a2b8e2d605b7
SHA512a5e6966838dc29ee376fcfc0e2ee5857fad750bc726bec32c5d7bc67e2e761c9bc47e4e161021a1d2a4c31e50e0c47eea85e0e6cd49d2870a56f4b14056aee77
-
Filesize
234KB
MD5cbdc88d81ee9b4853dae7bdb410bea8e
SHA15cf9c38a2e535cc6ba91a081c861a09f3845312c
SHA2567eb8769e1a66005a1f163f477e08927aaca665198ec231d8267d254f87e6ec38
SHA5121377a164af6ff4189b338ce7369c57b4a199cfd11f47698015a1034025f5a671f46d97a46ac43a9c6df98b31b1d00788da1b0a8440fdb0b3c2e5f5f8b7be9aab
-
Filesize
223KB
MD5cf0d4026b83380d4f7431b65ac7e8200
SHA1764531d73634f375e6e6ac0f122f47bdb691b315
SHA25640292b911d69fb981956ff4eb04469207656774c52b495124fe06379236d78fc
SHA51286a513a4e87ec1d721f6d957e383bccae82235b02b6f048b5f5d474d189c8f7cedc4f2e792174f6054a28aa8b112b4de77cda3d1dfc2eb614390072e67380abe
-
Filesize
154KB
MD5c6ecec4f180f5cf57a13e338015dc0a2
SHA1dfab483824956bddd46e61b5f6db3536fcc0ac64
SHA256ae939f3c64886fe24081c1070e3a7eaf04f2864db451e682efd1ff5cf546d007
SHA512a878b12487e5062441e2f23c7a72f9eec23e590e80db60c9c6c03e270e7e6283c951663adf7212ecbd649bdabf62b09ce1ae827b4d0b0a54c924aa129ebda72d
-
Filesize
256KB
MD546db06cb8465b7e58e01b8f1d24ee1f7
SHA1152f92ce634b4f23e0480f7f6c9ad36128c9a903
SHA256559b8c3f3781a2494cd24d6dbc6fa0577cc44483b9442e4d33716c1cd25bd1dc
SHA51245453facb647e410edbf136f8e0156c1c7803263394566e8bb5620f364c18c8f7571523f40119aa3ab925e4b8c306eda4738fc357915736caed8232df244ccf6
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD5982edb08193d4c1f11d0c2b198eea5f1
SHA1cb93e7bffa633284a5e999a85b10c2e315305f44
SHA256c8690f104e78b4dff7614c0761e4e7caa39d65a9b80628ea4c23d6381db37528
SHA512bdba65760cc349bf95a442e8c27c1aecc5758d22cf28a7e8c3d7e30c15e344b471deb17627c0fb450daea0129656ebbec1eaa01e856c88bf4176b744b5a480cb
-
Filesize
5KB
MD5579e3c14764729baaa38502ee442fdd4
SHA16ab05eb48902c0a521b80f3c934e2b71923f7d91
SHA25655f8762274d23e40ec1f995efc4dc516443a54cc87a488e9fb67478d2627943d
SHA5124208beffab889788e00245773c87831bc252e3a0cc51c1340246e4449bf8a5f0b774b09b55c9ae0d14561b1206033c8b09fdef1fa80b6f142c9c1c16b30469bd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54dab44342ff97326065457ba4f1048ee
SHA1eeba6fa592a7edfae13aeade5dc96cf5159b9727
SHA256708b917b7f586b7f5a160018be2fb04801ca4c51b4fc4cceabee2020afe79c8a
SHA5121c0098ac9f5c642a4b4cde8cb32bb8e77f52299204bb7a572b960f38f1f83fb8c6361bca84a4d9b8f592cca91fea2d882c68dd60015ef718438e636a5dab78a0