Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 11:40

General

  • Target

    JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe

  • Size

    3.6MB

  • MD5

    e60156f6d9a9642465da11d0915b43ad

  • SHA1

    c332bc20c25fb9bbc94185992811e977243c5664

  • SHA256

    672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1

  • SHA512

    806d626f2181c3968e90e0fe254a2956807d8beaed45ea20348c121a6db425cea3008a3518c2c0e77681e08a7c7bbca686b2189aba813628f2ebbcf2185e2997

  • SSDEEP

    98304:6jiX418wVrgGlg9iHjOzZYr8d/GXGtQ9TANT:6jiIBy6O9d/GXAx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 41 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4804
    • C:\Program Files (x86)\iWin Games\AdminWorker.exe
      "C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3672
    • C:\Program Files (x86)\iWin Games\AdminWorker.exe
      "C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2244
    • C:\Program Files (x86)\iWin Games\iWinTrusted.exe
      "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3228
    • C:\Program Files (x86)\iWin Games\WebInstaller.exe
      "C:\Program Files (x86)\iWin Games\WebInstaller.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3416
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1408
    • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe
      iwintoolbar.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1772
    • C:\Program Files (x86)\iWin Games\iWinGames.exe
      "C:\Program Files (x86)\iWin Games\iWinGames.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Program Files (x86)\iWin Games\iWinTrusted.exe
        "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3484
      • C:\Program Files (x86)\iWin Games\WebInstaller.exe
        "C:\Program Files (x86)\iWin Games\WebInstaller.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2716
      • C:\Program Files (x86)\iWin Games\AdminWorker.exe
        "C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4484
        • C:\Program Files (x86)\iWin Games\iWinTrusted.exe
          "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4200
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f8 0x518
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2812

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\iWin Games\AdminWorker.exe

          Filesize

          90KB

          MD5

          4c0f8f3cf26f0396ead85a2356807c3c

          SHA1

          ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff

          SHA256

          b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e

          SHA512

          574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240

        • C:\Program Files (x86)\iWin Games\WebInstaller.exe

          Filesize

          119KB

          MD5

          68f57e85a24b56f8ef8147594d36cdce

          SHA1

          5a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053

          SHA256

          5c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f

          SHA512

          7ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042

        • C:\Program Files (x86)\iWin Games\WebUpdater.exe

          Filesize

          80KB

          MD5

          3287302f72a0011d9460da21c7b37ae1

          SHA1

          e7430de4d6a8bbd2b79a80ec75b09240aef74cae

          SHA256

          dca222382828a4e2a3c9dbe03dc637b704ea3b9e078595e3e18980a1fe3daa23

          SHA512

          835b401a6952ba9d176fa531bd250925488b0464e64627003dbd0f791fe77b3951909296ebfb702e8d3ca045f801c98db043446d49642d77fb21d11fa5b0811d

        • C:\Program Files (x86)\iWin Games\firefox\version

          Filesize

          5B

          MD5

          c314a4674d7e2d0d0df34fb27a0983d8

          SHA1

          56b9cdb1f345be8212ffa03722d792edf09b55fa

          SHA256

          2e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4

          SHA512

          1d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60

        • C:\Program Files (x86)\iWin Games\host.cfg

          Filesize

          18B

          MD5

          48219b846f8111f0064fd38788b9ab98

          SHA1

          542cb5f93dbf610f28d6c66fca0a49da0076d31d

          SHA256

          38d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de

          SHA512

          50ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad

        • C:\Program Files (x86)\iWin Games\iWinGames.exe

          Filesize

          1.5MB

          MD5

          4851958fad503e3467be9b047517e4d3

          SHA1

          95d09a8bae10756fe41739336f5768dc14d27dd9

          SHA256

          2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28

          SHA512

          7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1

        • C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll

          Filesize

          138KB

          MD5

          f841c2d5f930cf4ae834b67a9eba5809

          SHA1

          50d550e3d9ea5585148f644f12e33d113dd303e8

          SHA256

          9b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7

          SHA512

          ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702

        • C:\Program Files (x86)\iWin Games\iWinInfo.dll

          Filesize

          120KB

          MD5

          067b2c0a3d6b801fc8c9bcce8411dfd1

          SHA1

          ff26f2c84a6c256b2959c9482f45524a9ab06781

          SHA256

          1e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d

          SHA512

          8b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3

        • C:\Program Files (x86)\iWin Games\iWinTrusted.exe

          Filesize

          76KB

          MD5

          dc2c60e7d42d67a560918f8e497a0980

          SHA1

          55efe25e33e660d0284c73517a37d019777488c0

          SHA256

          b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f

          SHA512

          e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474

        • C:\Program Files (x86)\iWin Games\pages\blank.html

          Filesize

          251B

          MD5

          f8ab4f67022399715ff3e862f59bd27e

          SHA1

          2606eca361d217990708bb1714e6de2d0bb21584

          SHA256

          3db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965

          SHA512

          9bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5

        • C:\Program Files (x86)\iWin Games\pages\blank2.html

          Filesize

          74B

          MD5

          90b42fd8e93203218847a3c0a646d377

          SHA1

          0d485e2de867448e4853031d5714942128d92983

          SHA256

          aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f

          SHA512

          de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

        • C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif

          Filesize

          5KB

          MD5

          0dc284616d7449d447d4d5a9ac2a230b

          SHA1

          377a3077c320f639c8e58b50aab55725f2bb6e34

          SHA256

          1a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1

          SHA512

          044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9

        • C:\Program Files (x86)\iWin Games\sounds\animation.wav

          Filesize

          77KB

          MD5

          3ef7618619348fbbeca7b0f772be7e5c

          SHA1

          d86829f29c8f22c2d3562269b3d2f0c3b822ad0c

          SHA256

          d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872

          SHA512

          b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

        • C:\Program Files (x86)\iWin Games\sounds\start.wav

          Filesize

          57KB

          MD5

          94ab5e493c7fd8358c9a893d0a108d5f

          SHA1

          5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173

          SHA256

          54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a

          SHA512

          f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe

          Filesize

          98KB

          MD5

          ec08c1c867ded8f5221aefb969b161c1

          SHA1

          839866cc28b401d1d3f0f07aa8f13803f56b496a

          SHA256

          f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be

          SHA512

          34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\IwinToolbar.exe

          Filesize

          103KB

          MD5

          2977804931e9cf61cf86d1d0d0d7eb3e

          SHA1

          3e96c8baa8d6ebeb8deb021a453adc02b4f7a288

          SHA256

          c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979

          SHA512

          4004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\System.dll

          Filesize

          10KB

          MD5

          4c0c6163b636f627e0d505deda672c90

          SHA1

          2eae4e6f00673a03ae2434f1b22dc9218e4761a8

          SHA256

          bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

          SHA512

          e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\ftdownload.dat

          Filesize

          512B

          MD5

          e45db6ebc4de21e77ddd6ac9a7735dc7

          SHA1

          2230443ffa9c45016b17aaaf05492e155032d8b5

          SHA256

          9af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9

          SHA512

          95078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\gametitle.txt

          Filesize

          10B

          MD5

          09413be548245a232bf1857a0c94524b

          SHA1

          367cae47d819a19202c30a801d05b3114f02bcb9

          SHA256

          cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073

          SHA512

          953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\nsExec.dll

          Filesize

          6KB

          MD5

          0eaa468e975017262a246e03e23b3172

          SHA1

          17064408bd1c2fe2a6aa8588fba7d34018f94241

          SHA256

          2a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6

          SHA512

          e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7

        • C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\tn_feat.bmp

          Filesize

          243B

          MD5

          1da2c13d7f658d4dbda4cd08933cba0d

          SHA1

          55447016919661e7f86dee62f620a3640dcf31c0

          SHA256

          61ba87f145a9edd68a2d6a7f1f8b840f992f00827bb7a8f86aad728d7d8969c4

          SHA512

          9c770ac6757904d6c81e7f6cc18f97acb3ed4379975b6981744b339b959ab906699a4f53c4d5300047abfda333b6cbda48c884da76dae8cd4d3b93415686f05d

        • memory/1772-112-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

        • memory/1772-111-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

        • memory/2244-93-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/2244-91-0x00000000005B0000-0x00000000005B2000-memory.dmp

          Filesize

          8KB

        • memory/3228-98-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3228-96-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3484-130-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3484-127-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3672-89-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/3672-86-0x0000000000490000-0x0000000000492000-memory.dmp

          Filesize

          8KB

        • memory/3672-84-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4200-136-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4200-138-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4352-120-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/4352-153-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/4352-159-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/4484-135-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB