Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 19:19

General

  • Target

    JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe

  • Size

    1.9MB

  • MD5

    d0ad32489cb94443b7c441d455a267d3

  • SHA1

    7d8dc87deb71736947d765dbd5f00058f026cb46

  • SHA256

    4b8e02e55cbd79b06a6e34dac839cc7f60cec7f5199ad65f1478d9594a164f22

  • SHA512

    57e3c8548d3f1865224e170a8b91065229ea7486806005c5ef979372d31b02947b6e9693120df49eb6add641d656b825bad7a620e76fd9c3ec2f02d074fac060

  • SSDEEP

    49152:sD8QbBnW5oGvmx4UJASuA4wDinashps9AzV1pCh9mLsvW:LSBnW5d+lub3asPs9S7pcre

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0ad32489cb94443b7c441d455a267d3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Program Files (x86)\Gamevance\gamevance32.exe
        "C:\Program Files (x86)\Gamevance\gamevance32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1432
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8T1wsH0srLSyejP2bvG2tKz69TV%2F8awtbHGx7CyxsGwscHGscf%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9849a46f8,0x7ff9849a4708,0x7ff9849a4718
        3⤵
          PID:1448
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
          3⤵
            PID:4868
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
            3⤵
              PID:4060
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
              3⤵
                PID:1952
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                3⤵
                  PID:2680
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
                  3⤵
                    PID:4520
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                    3⤵
                      PID:4760
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                      3⤵
                        PID:1820
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
                        3⤵
                          PID:4800
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
                          3⤵
                            PID:4896
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
                            3⤵
                              PID:1308
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
                              3⤵
                                PID:1212
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11301500919249426917,10519722718235322093,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 /prefetch:2
                                3⤵
                                  PID:4960
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4016
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:944

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Program Files (x86)\Gamevance\ars.cfg

                                        Filesize

                                        53B

                                        MD5

                                        912e4eed4381adb9c64ee177ba6aa7ed

                                        SHA1

                                        bdeb17831f237adaa5105ba50558cdf7803b0d06

                                        SHA256

                                        2aef5c710664a0b9080e7c7aa260987ded2d8c3bc89f81b020762129dabc8407

                                        SHA512

                                        735076084990d3bfdcd66d679b0a7d9be3eed6c933fed27acdd120867c6ba45addd8b09764468e8779e475e31d20b499725dc3cafb965b24ba77836d59fe9f10

                                      • C:\Program Files (x86)\Gamevance\ars.cfg

                                        Filesize

                                        107B

                                        MD5

                                        62ce0562bceff443bd79c41ca8535864

                                        SHA1

                                        80589fd72973b39ddd26e6461c4c70171125e586

                                        SHA256

                                        c161ec6f362c614ef1d1a29a8d361ee893c60f007ba1174f416fd997bb87d64e

                                        SHA512

                                        3f5d420dda6da2eaa99926ad96c6d5d6a76c460ee59c157c5dcc6e74f9b64d9015a33394e62f841a71e355ad0cd0d31f89a1b4fbe83303ec8f174d128ea6f7c1

                                      • C:\Program Files (x86)\Gamevance\ars.cfg

                                        Filesize

                                        164B

                                        MD5

                                        c2c08b049ccf6c8707829c0365caa76d

                                        SHA1

                                        f456a238d093d9923ad701c4da2f56e0d7482fd1

                                        SHA256

                                        0b0266e01f6a10d23fe5eb133079e3eaa34473c174a84e4edb07a2b8e2d605b7

                                        SHA512

                                        a5e6966838dc29ee376fcfc0e2ee5857fad750bc726bec32c5d7bc67e2e761c9bc47e4e161021a1d2a4c31e50e0c47eea85e0e6cd49d2870a56f4b14056aee77

                                      • C:\Program Files (x86)\Gamevance\gamevance32.exe

                                        Filesize

                                        234KB

                                        MD5

                                        cbdc88d81ee9b4853dae7bdb410bea8e

                                        SHA1

                                        5cf9c38a2e535cc6ba91a081c861a09f3845312c

                                        SHA256

                                        7eb8769e1a66005a1f163f477e08927aaca665198ec231d8267d254f87e6ec38

                                        SHA512

                                        1377a164af6ff4189b338ce7369c57b4a199cfd11f47698015a1034025f5a671f46d97a46ac43a9c6df98b31b1d00788da1b0a8440fdb0b3c2e5f5f8b7be9aab

                                      • C:\Program Files (x86)\Gamevance\gamevancelib32.dll

                                        Filesize

                                        223KB

                                        MD5

                                        cf0d4026b83380d4f7431b65ac7e8200

                                        SHA1

                                        764531d73634f375e6e6ac0f122f47bdb691b315

                                        SHA256

                                        40292b911d69fb981956ff4eb04469207656774c52b495124fe06379236d78fc

                                        SHA512

                                        86a513a4e87ec1d721f6d957e383bccae82235b02b6f048b5f5d474d189c8f7cedc4f2e792174f6054a28aa8b112b4de77cda3d1dfc2eb614390072e67380abe

                                      • C:\Program Files (x86)\Gamevance\gvtl.dll

                                        Filesize

                                        154KB

                                        MD5

                                        c6ecec4f180f5cf57a13e338015dc0a2

                                        SHA1

                                        dfab483824956bddd46e61b5f6db3536fcc0ac64

                                        SHA256

                                        ae939f3c64886fe24081c1070e3a7eaf04f2864db451e682efd1ff5cf546d007

                                        SHA512

                                        a878b12487e5062441e2f23c7a72f9eec23e590e80db60c9c6c03e270e7e6283c951663adf7212ecbd649bdabf62b09ce1ae827b4d0b0a54c924aa129ebda72d

                                      • C:\Program Files (x86)\Gamevance\gvun.exe

                                        Filesize

                                        256KB

                                        MD5

                                        46db06cb8465b7e58e01b8f1d24ee1f7

                                        SHA1

                                        152f92ce634b4f23e0480f7f6c9ad36128c9a903

                                        SHA256

                                        559b8c3f3781a2494cd24d6dbc6fa0577cc44483b9442e4d33716c1cd25bd1dc

                                        SHA512

                                        45453facb647e410edbf136f8e0156c1c7803263394566e8bb5620f364c18c8f7571523f40119aa3ab925e4b8c306eda4738fc357915736caed8232df244ccf6

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        37f660dd4b6ddf23bc37f5c823d1c33a

                                        SHA1

                                        1c35538aa307a3e09d15519df6ace99674ae428b

                                        SHA256

                                        4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                        SHA512

                                        807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        d7cb450b1315c63b1d5d89d98ba22da5

                                        SHA1

                                        694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                        SHA256

                                        38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                        SHA512

                                        df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        111B

                                        MD5

                                        807419ca9a4734feaf8d8563a003b048

                                        SHA1

                                        a723c7d60a65886ffa068711f1e900ccc85922a6

                                        SHA256

                                        aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                        SHA512

                                        f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        982edb08193d4c1f11d0c2b198eea5f1

                                        SHA1

                                        cb93e7bffa633284a5e999a85b10c2e315305f44

                                        SHA256

                                        c8690f104e78b4dff7614c0761e4e7caa39d65a9b80628ea4c23d6381db37528

                                        SHA512

                                        bdba65760cc349bf95a442e8c27c1aecc5758d22cf28a7e8c3d7e30c15e344b471deb17627c0fb450daea0129656ebbec1eaa01e856c88bf4176b744b5a480cb

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        579e3c14764729baaa38502ee442fdd4

                                        SHA1

                                        6ab05eb48902c0a521b80f3c934e2b71923f7d91

                                        SHA256

                                        55f8762274d23e40ec1f995efc4dc516443a54cc87a488e9fb67478d2627943d

                                        SHA512

                                        4208beffab889788e00245773c87831bc252e3a0cc51c1340246e4449bf8a5f0b774b09b55c9ae0d14561b1206033c8b09fdef1fa80b6f142c9c1c16b30469bd

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        10KB

                                        MD5

                                        4dab44342ff97326065457ba4f1048ee

                                        SHA1

                                        eeba6fa592a7edfae13aeade5dc96cf5159b9727

                                        SHA256

                                        708b917b7f586b7f5a160018be2fb04801ca4c51b4fc4cceabee2020afe79c8a

                                        SHA512

                                        1c0098ac9f5c642a4b4cde8cb32bb8e77f52299204bb7a572b960f38f1f83fb8c6361bca84a4d9b8f592cca91fea2d882c68dd60015ef718438e636a5dab78a0

                                      • memory/1616-62-0x0000000000400000-0x000000000044E000-memory.dmp

                                        Filesize

                                        312KB

                                      • memory/1616-39-0x0000000067000000-0x0000000067044000-memory.dmp

                                        Filesize

                                        272KB

                                      • memory/1616-40-0x0000000000400000-0x000000000044E000-memory.dmp

                                        Filesize

                                        312KB

                                      • memory/4832-1-0x0000000000400000-0x0000000000788000-memory.dmp

                                        Filesize

                                        3.5MB

                                      • memory/4832-82-0x0000000000400000-0x0000000000788000-memory.dmp

                                        Filesize

                                        3.5MB

                                      • memory/4832-41-0x0000000000400000-0x0000000000788000-memory.dmp

                                        Filesize

                                        3.5MB

                                      • memory/4832-0-0x0000000000400000-0x0000000000788000-memory.dmp

                                        Filesize

                                        3.5MB

                                      • memory/4832-12-0x0000000067000000-0x0000000067044000-memory.dmp

                                        Filesize

                                        272KB