Overview
overview
7Static
static
3JaffaCakes...ad.exe
windows7-x64
7JaffaCakes...ad.exe
windows10-2004-x64
7$PLUGINSDI...er.exe
windows7-x64
3$PLUGINSDI...er.exe
windows10-2004-x64
3$PLUGINSDI...ar.exe
windows7-x64
3$PLUGINSDI...ar.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...st.exe
windows7-x64
7$PLUGINSDI...st.exe
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3AdminWorker.exe
windows7-x64
3AdminWorker.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7WebInstaller.exe
windows7-x64
6WebInstaller.exe
windows10-2004-x64
6WebUpdater.exe
windows7-x64
3WebUpdater.exe
windows10-2004-x64
3content/iwa-ovr.js
windows7-x64
3content/iwa-ovr.js
windows10-2004-x64
3content/iwinarcade.js
windows7-x64
3content/iwinarcade.js
windows10-2004-x64
3firefox/iW...er.exe
windows7-x64
3firefox/iW...er.exe
windows10-2004-x64
3iWinGames.exe
windows7-x64
6iWinGames.exe
windows10-2004-x64
7iWinGamesHookIE.dll
windows7-x64
6iWinGamesHookIE.dll
windows10-2004-x64
6iWinInfo.dll
windows7-x64
3iWinInfo.dll
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
AdminWorker.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
AdminWorker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
WebInstaller.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
WebInstaller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
WebUpdater.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
WebUpdater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
content/iwa-ovr.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
content/iwa-ovr.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
content/iwinarcade.js
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
content/iwinarcade.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
firefox/iWinArcadeLauncher.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
firefox/iWinArcadeLauncher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
iWinGames.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
iWinGames.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
iWinGamesHookIE.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
iWinGamesHookIE.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
iWinInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
iWinInfo.dll
Resource
win10v2004-20241007-en
General
-
Target
Uninstall.exe
-
Size
75KB
-
MD5
f7eb4bc689e6cf7d36040dbe0d9331e5
-
SHA1
19bca2dd29fb9f54822bd2cacb68bf85063cf92a
-
SHA256
c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7
-
SHA512
062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023
-
SSDEEP
1536:DPx/CJAmx2/W5Ebnto4tmJK+ekp6jV++VIY2Znip6zv0:rx6UW6tpmJKS4ZxX2Zip6A
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2640 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2640 Au_.exe -
Loads dropped DLL 1 IoCs
pid Process 2856 Uninstall.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iWinArcadeIECleanup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinArcadeAutocleanup.bat" Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinGames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral15/files/0x0005000000019c48-2.dat nsis_installer_1 behavioral15/files/0x0005000000019c48-2.dat nsis_installer_2 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2740 iWinGames.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2640 2856 Uninstall.exe 31 PID 2856 wrote to memory of 2640 2856 Uninstall.exe 31 PID 2856 wrote to memory of 2640 2856 Uninstall.exe 31 PID 2856 wrote to memory of 2640 2856 Uninstall.exe 31 PID 2640 wrote to memory of 2704 2640 Au_.exe 32 PID 2640 wrote to memory of 2704 2640 Au_.exe 32 PID 2640 wrote to memory of 2704 2640 Au_.exe 32 PID 2640 wrote to memory of 2704 2640 Au_.exe 32 PID 2640 wrote to memory of 2852 2640 Au_.exe 33 PID 2640 wrote to memory of 2852 2640 Au_.exe 33 PID 2640 wrote to memory of 2852 2640 Au_.exe 33 PID 2640 wrote to memory of 2852 2640 Au_.exe 33 PID 2640 wrote to memory of 2684 2640 Au_.exe 34 PID 2640 wrote to memory of 2684 2640 Au_.exe 34 PID 2640 wrote to memory of 2684 2640 Au_.exe 34 PID 2640 wrote to memory of 2684 2640 Au_.exe 34 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2640 wrote to memory of 2668 2640 Au_.exe 35 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2668 wrote to memory of 2848 2668 WebInstaller.exe 36 PID 2640 wrote to memory of 2740 2640 Au_.exe 37 PID 2640 wrote to memory of 2740 2640 Au_.exe 37 PID 2640 wrote to memory of 2740 2640 Au_.exe 37 PID 2640 wrote to memory of 2740 2640 Au_.exe 37 PID 2640 wrote to memory of 2540 2640 Au_.exe 38 PID 2640 wrote to memory of 2540 2640 Au_.exe 38 PID 2640 wrote to memory of 2540 2640 Au_.exe 38 PID 2640 wrote to memory of 2540 2640 Au_.exe 38 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2620 2640 Au_.exe 39 PID 2640 wrote to memory of 2284 2640 Au_.exe 40 PID 2640 wrote to memory of 2284 2640 Au_.exe 40 PID 2640 wrote to memory of 2284 2640 Au_.exe 40 PID 2640 wrote to memory of 2284 2640 Au_.exe 40 PID 2640 wrote to memory of 2284 2640 Au_.exe 40 PID 2640 wrote to memory of 2284 2640 Au_.exe 40 PID 2640 wrote to memory of 2284 2640 Au_.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions3⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks3⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove3⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_03⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts3⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD57bcfdf4ff2fd7e9f38e4e836ce443378
SHA1aee14127fd409c3de064e5bb65ed057dca3cb4f7
SHA256428deca3f08767b4091b1839cd2d84dc827d569e244f8a3cec2817ffbef46a71
SHA5128c883692d453708b02e087330630f6d1f14f9a282cc905211a836071e4c095b819ccaac0fac951b74e13f116ab575ed9c78ea58de04915639db2c915b028bf32
-
Filesize
406B
MD5e661e214e2e3a4b34534087af7a157c8
SHA19d9da4838515c6e65bd0300baefbdae80a3b58e2
SHA25697c0d116d0ea2783b20b8bd29464f13bd6cb3c4f1e6c85b946089db5316e6bcc
SHA512210aabddb0fbbc86037863cb552fa55608f20cedf2ae40408bc2ade58e127b1975e0e198668434f9ebbfab5102403e2e862549cd86f9dc3d9f48045717bf6943
-
Filesize
75KB
MD5f7eb4bc689e6cf7d36040dbe0d9331e5
SHA119bca2dd29fb9f54822bd2cacb68bf85063cf92a
SHA256c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7
SHA512062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023