Overview
overview
7Static
static
3JaffaCakes...ad.exe
windows7-x64
7JaffaCakes...ad.exe
windows10-2004-x64
7$PLUGINSDI...er.exe
windows7-x64
3$PLUGINSDI...er.exe
windows10-2004-x64
3$PLUGINSDI...ar.exe
windows7-x64
3$PLUGINSDI...ar.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...st.exe
windows7-x64
7$PLUGINSDI...st.exe
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3AdminWorker.exe
windows7-x64
3AdminWorker.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7WebInstaller.exe
windows7-x64
6WebInstaller.exe
windows10-2004-x64
6WebUpdater.exe
windows7-x64
3WebUpdater.exe
windows10-2004-x64
3content/iwa-ovr.js
windows7-x64
3content/iwa-ovr.js
windows10-2004-x64
3content/iwinarcade.js
windows7-x64
3content/iwinarcade.js
windows10-2004-x64
3firefox/iW...er.exe
windows7-x64
3firefox/iW...er.exe
windows10-2004-x64
3iWinGames.exe
windows7-x64
6iWinGames.exe
windows10-2004-x64
7iWinGamesHookIE.dll
windows7-x64
6iWinGamesHookIE.dll
windows10-2004-x64
6iWinInfo.dll
windows7-x64
3iWinInfo.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
AdminWorker.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
AdminWorker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
WebInstaller.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
WebInstaller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
WebUpdater.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
WebUpdater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
content/iwa-ovr.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
content/iwa-ovr.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
content/iwinarcade.js
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
content/iwinarcade.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
firefox/iWinArcadeLauncher.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
firefox/iWinArcadeLauncher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
iWinGames.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
iWinGames.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
iWinGamesHookIE.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
iWinGamesHookIE.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
iWinInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
iWinInfo.dll
Resource
win10v2004-20241007-en
General
-
Target
Uninstall.exe
-
Size
75KB
-
MD5
f7eb4bc689e6cf7d36040dbe0d9331e5
-
SHA1
19bca2dd29fb9f54822bd2cacb68bf85063cf92a
-
SHA256
c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7
-
SHA512
062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023
-
SSDEEP
1536:DPx/CJAmx2/W5Ebnto4tmJK+ekp6jV++VIY2Znip6zv0:rx6UW6tpmJKS4ZxX2Zip6A
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4484 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 4484 Au_.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iWinArcadeIECleanup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinArcadeAutocleanup.bat" Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinGames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral16/files/0x0008000000023c57-3.dat nsis_installer_1 behavioral16/files/0x0008000000023c57-3.dat nsis_installer_2 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3980 iWinGames.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2884 wrote to memory of 4484 2884 Uninstall.exe 82 PID 2884 wrote to memory of 4484 2884 Uninstall.exe 82 PID 2884 wrote to memory of 4484 2884 Uninstall.exe 82 PID 4484 wrote to memory of 3956 4484 Au_.exe 83 PID 4484 wrote to memory of 3956 4484 Au_.exe 83 PID 4484 wrote to memory of 3956 4484 Au_.exe 83 PID 4484 wrote to memory of 4900 4484 Au_.exe 84 PID 4484 wrote to memory of 4900 4484 Au_.exe 84 PID 4484 wrote to memory of 4900 4484 Au_.exe 84 PID 4484 wrote to memory of 3932 4484 Au_.exe 85 PID 4484 wrote to memory of 3932 4484 Au_.exe 85 PID 4484 wrote to memory of 3932 4484 Au_.exe 85 PID 4484 wrote to memory of 1492 4484 Au_.exe 86 PID 4484 wrote to memory of 1492 4484 Au_.exe 86 PID 4484 wrote to memory of 1492 4484 Au_.exe 86 PID 1492 wrote to memory of 2180 1492 WebInstaller.exe 87 PID 1492 wrote to memory of 2180 1492 WebInstaller.exe 87 PID 1492 wrote to memory of 2180 1492 WebInstaller.exe 87 PID 4484 wrote to memory of 3980 4484 Au_.exe 88 PID 4484 wrote to memory of 3980 4484 Au_.exe 88 PID 4484 wrote to memory of 3980 4484 Au_.exe 88 PID 4484 wrote to memory of 4876 4484 Au_.exe 91 PID 4484 wrote to memory of 4876 4484 Au_.exe 91 PID 4484 wrote to memory of 4876 4484 Au_.exe 91 PID 4484 wrote to memory of 2656 4484 Au_.exe 93 PID 4484 wrote to memory of 2656 4484 Au_.exe 93 PID 4484 wrote to memory of 2656 4484 Au_.exe 93 PID 4484 wrote to memory of 1976 4484 Au_.exe 94 PID 4484 wrote to memory of 1976 4484 Au_.exe 94 PID 4484 wrote to memory of 1976 4484 Au_.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions3⤵
- System Location Discovery: System Language Discovery
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks3⤵
- System Location Discovery: System Language Discovery
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove3⤵
- System Location Discovery: System Language Discovery
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
-
C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_03⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts3⤵
- System Location Discovery: System Language Discovery
PID:4876
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"3⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD505da8f0281ad5626c84a5549650d1bf3
SHA19e742af52e9e439f63dc7788b472c73000a1da4f
SHA2560f8e730f1b5a750f5f42698e020b25a8291b9c7336310d0999ef0d1660434016
SHA5127b2d26f5ff4ce2d5b880fa9027e71bfeb576086f43c85a2885515969e18ee2fe8b8602115fbd55827e2c328f5b8102f9e3f7779694bfdd09430793e67eee2ea3
-
Filesize
407B
MD5559051f7e1657074cfff4e63fb9087c5
SHA1a66f00c2b1ed6ce7fe91c881815f2eb336098769
SHA256193ef850bbe75ade2aca30633f0f353e5f3b309e48049b244deb71fb069d814b
SHA512eee555aca6c5a48d605432b7a33b93008021df35320f8e68413964890d16259751cac1affd6721db7d09eed4613ddb5974222f80b69ec4247781b9ff1179c6dc
-
Filesize
75KB
MD5f7eb4bc689e6cf7d36040dbe0d9331e5
SHA119bca2dd29fb9f54822bd2cacb68bf85063cf92a
SHA256c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7
SHA512062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023