Post

Incident Response Report: Maranhão — Trojanized Game Mod to Node.js Infostealer

Posted
By El OMARI Zakaria
8 min read
Incident Response Report: Maranhão — Trojanized Game Mod to Node.js Infostealer

Platform: CyberDefenders Challenge: Maranhao Category: Endpoint Forensics Difficulty: Easy Tools: DB Browser for SQLite, PECmd, EvtxECmd, Timeline Explorer, Registry Explorer, FTK Imager Achievement: Proof of Completion

1. Executive Summary

Incident Type: Supply Chain via Trojanized Game Mod / Infostealer / Credential Theft

Affected Host: DESKTOP-HH58NQV — Employee: Levi

On September 17, 2025, an endpoint belonging to employee Levi was compromised after downloading a trojanized game mod archive (Fnafdoomlauncherd.7z) from Google Drive. The malware used a silent Inno Setup installer to deploy a Node.js-based infostealer (updater.exe) into a hidden AppData directory. The malware established registry-based persistence, performed extensive WMIC system fingerprinting, force-killed Microsoft Edge to steal stored credentials via a named IPC pipe, queried a geolocation API, and beaconed to a Cloudflare-proxied C2 domain (api.maranhaogang.fun).

Indicators of Compromise (IOCs)

TypeIndicatorDescription
Delivery URLhttps://drive.usercontent.google.com/uc?id=1mIxhfZXmcUT2mbKNuahsRI4S_rzVUFKW&export=downloadGoogle Drive hosting malicious archive
Download Time2025-09-17 10:10 UTCInitial compromise timestamp
Initial ExecutableFnafdoomlauncher.exeTrojanized game mod launcher
Dropper SHA-1FCB94C06FA80CE277B47E545B3805AB38BB6ACF4Hash of the installer executable
Stage 2 Binaryupdater.exeNode.js infostealer masquerading as Windows Updater
Stage 2 SHA-128E961FB9BE4AD42BB0D1024E0108585B55912DFHash of Node.js payload
Stage 2 PathC:\Users\Levi\AppData\Local\Programs\Microsoft Updater\Hidden staging directory
C2 UUID Argumente90de8b2-eb79-4614-94f8-308f0f81573bUnique C2 identifier passed as argument
Persistence KeyHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunRegistry autostart entry
Persistence Timestamp2025-09-17 10:13:27 UTC3 minutes after initial execution
Named Pipe\ChromeDecryptIPC_e7e223c5-50d5-40ae-8513-64c9962789c2In-memory credential transfer channel
C2 Domainapi.maranhaogang.funCloudflare-proxied C2
C2 IPs172.67.144.96, 104.21.71.100Cloudflare edge nodes
Geolocation APIip-api.com (IP: 208.95.112.1)Victim location profiling

MITRE ATT&CK Mapping Overview

TacticTechniqueID
Initial AccessSupply Chain — Trojanized SoftwareT1195.002
ExecutionInstaller Silent Flag (/VERYSILENT)T1059
Defense EvasionMasquerading — updater.exe as Windows UpdaterT1036.005
Defense EvasionHidden Files — attrib +h +sT1564.001
PersistenceRegistry Run KeyT1547.001
DiscoverySystem Information Discovery via WMICT1082
Credential AccessBrowser Credential Theft — SQLite DBT1555.003
CollectionNamed Pipe IPC — ChromeDecryptIPCT1559.001
Command & ControlDNS over Cloudflare ProxyT1090.002

2. Phase 1: Initial Access — Trojanized Game Download (Questions 1–3)

Objective: Identify the delivery URL, download timestamp, and the name of the initial malicious executable.

The forensic image (Maranhão.ad1) contains Levi’s Microsoft Edge browser profile. The History SQLite database within the profile’s Default directory stores a complete log of downloads. Using DB Browser for SQLite, we query the downloads table:

DB Browser for SQLite showing the Microsoft Edge downloads history table with the malicious Google Drive URL and the WebKit timestamp for the download of Fnafdoomlauncherd.7z on 2025-09-17 10:10 UTC.

The malware was hosted on Google Drive — a deliberate choice to abuse a trusted cloud platform and bypass URL reputation filtering. The start_time column contains a WebKit timestamp (microseconds since January 1, 1601) that, when converted to UTC, yields the precise download time.

Parsing the Windows Prefetch directory using PECmd confirms the executable extracted from the archive was subsequently run by the user:

PECmd output showing the Prefetch artifact FNAFDOOMLAUNCHER.EXE-XXXXXXXX.pf confirming the trojanized game mod launcher was executed by the user shortly after the download.

Prefetch timestamp analysis showing the first run time of Fnafdoomlauncher.exe, corroborating the download-to-execution timeline.

Answer Q1

What URL was used to download the malicious archive?

https://drive.usercontent.google.com/uc?id=1mIxhfZXmcUT2mbKNuahsRI4S_rzVUFKW&export=download

Answer Q2

What is the UTC timestamp of the archive download?

2025-09-17 10:10

Answer Q3

What is the name of the executable responsible for initiating the compromise?

Fnafdoomlauncher.exe

3. Phase 2: Execution — Silent Installer & Stage 2 Deployment (Questions 4–7)

Objective: Identify the installer flags, dropper hash, stage 2 path, and C2 UUID argument.

Sysmon Event ID 1 (Process Create) logs captured the full command line of the installer execution. The /VERYSILENT flag was passed to suppress all installer UI — no progress bar, no UAC prompt, nothing to alert the user that software was being installed in the background.

EvtxECmd output showing the Sysmon Event ID 1 log for Fnafdoomlauncher.exe with theVERYSILENT flag and the SHA-1 hash FCB94C06FA80CE277B47E545B3805AB38BB6ACF4 in the Hashes field.

The installer then spawned a second process: updater.exe — a Node.js executable masquerading as a Windows system updater — executing from a hidden staging directory with a UUID passed as a command-line argument for C2 identification.

Analyst Note: The /VERYSILENT flag in Sysmon Process Create logs is a high-fidelity indicator of malicious installer activity. Legitimate enterprise software installed via IT management tools (SCCM, Intune) does not typically use this flag for user-facing installs. Alert on this flag whenever the parent process is a user-downloaded executable.

Answer Q4

What installer flag was used to suppress user prompts?

/VERYSILENT

Answer Q5

What is the SHA-1 hash of the dropper binary?

FCB94C06FA80CE277B47E545B3805AB38BB6ACF4

Answer Q6

What is the full path of the stage 2 execution directory?

C:\Users\Levi\AppData\Local\Programs\Microsoft Updater\

Answer Q7

What UUID argument was passed to the stage 2 binary for C2 identification?

e90de8b2-eb79-4614-94f8-308f0f81573b

4. Phase 3: Persistence & Defense Evasion (Questions 8–10)

Objective: Identify the registry persistence entry, its creation timestamp, and the file hiding command.

Sysmon Event ID 13 (Registry Value Set) captured the malware writing updater.exe to the Windows Run key — ensuring it executes automatically on every user login:

Registry Explorer showing the Run key entry for updater.exe at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run created at 10:13:27 UTC — exactly 3 minutes after the initial execution.

Registry Explorer showing the full path of the updater.exe persistence binary in the Microsoft Updater subdirectory of AppData Local Programs.

Immediately after establishing persistence, the malware spawned cmd.exe to execute attrib +h +s against the staging directory — setting the Hidden and System attributes to make the folder invisible in standard File Explorer views.

FTK Imager view of the hidden Microsoft Updater directory in AppData Local Programs, showing the malware's staging files hidden from normal user view.

Answer Q8

What is the full path of the binary embedded in the persistence mechanism?

C:\Users\Levi\AppData\Local\Programs\Microsoft Updater\updater.exe

Answer Q9

What is the timestamp of the registry persistence entry creation?

2025-09-17 10:13:27

Answer Q10

What command was used to hide the staging directory?

attrib +h +s

5. Phase 4: Discovery — WMIC System Fingerprinting (Questions 11–16)

Objective: Identify the WMIC commands used to profile the victim system before exfiltration.

Sysmon Event ID 1 logs show wmic.exe being spawned five consecutive times in rapid succession — each with a different query argument. This is a textbook infostealer fingerprinting sequence:

EvtxECmd output from Timeline Explorer showing five consecutive Sysmon Event ID 1 entries for wmic.exe with different query parameters: os get Caption, cpu get Name, win32_VideoController get Name, csproduct get UUID, and logicaldisk get Caption FreeSpace Size.

QueryIntelligence Gathered
wmic os get CaptionOS name and version
wmic cpu get NameProcessor model
wmic path win32_VideoController get NameGPU model
wmic csproduct get UUIDHardware machine GUID
wmic logicaldisk get Caption,FreeSpace,Size,Description /format:listStorage inventory

Additionally, a PowerShell command read the Windows Product Key from the registry — a highly specific intelligence target that helps the attacker assess the value of the compromised system.

Event log showing PowerShell Get-ItemProperty command targeting the BackupProductKeyDefault registry path to steal the Windows Product Key.

Answers Q11–Q16

Q11: wmic os get Caption Q12: wmic cpu get Name Q13: wmic path win32_VideoController get Name Q14: wmic csproduct get UUID Q15: wmic logicaldisk get Caption,FreeSpace,Size,Description /format:list Q16 (Registry key for Product Key): HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\BackupProductKeyDefault

6. Phase 5: Credential Access — Browser Kill & IPC Theft (Questions 17 & 18)

Objective: Identify how the malware accessed Edge’s credential database and the IPC mechanism used for data transfer.

To access Microsoft Edge’s SQLite credential database (Login Data), the malware first force-killed all running Edge processes to release file locks:

Event log showing taskkillFIM msedge.exe command executed by the malware to forcefully terminate all Microsoft Edge browser processes, releasing the SQLite database file locks.

After killing the browser, Sysmon Event ID 17 (Pipe Created) captured the creation of a named pipe used to transfer the decrypted credentials between internal processes — keeping the stolen data entirely in memory and off disk:

Sysmon Event ID 17 showing the creation of the named pipe ChromeDecryptIPC_e7e223c5-50d5-40ae-8513-64c9962789c2, an in-memory inter-process communication channel for transferring decrypted browser credentials.

Analyst Note: Named pipes with ChromeDecryptIPC in their name are a known behavioral signature of browser credential stealers. This pattern should be added to your EDR hunting queries. Sysmon Event ID 17 (Pipe Created) must be enabled in your Sysmon configuration to capture this evidence.

Answer Q17

What command was used to force-terminate the browser?

taskkill /F /IM msedge.exe

Answer Q18

What named pipe was created for credential transfer?

ChromeDecryptIPC_e7e223c5-50d5-40ae-8513-64c9962789c2

7. Phase 6: Command & Control — Geolocation + Cloudflare Proxy (Questions 19–21)

Objective: Identify the geolocation API, its IP, and the C2 domain’s resolved IPs.

Sysmon Event ID 22 (DNS Query) logs captured the malware’s outbound DNS queries in sequence. The pattern is consistent: first call the geolocation API to profile the victim, then beacon to the C2 domain.

Sysmon Event ID 22 DNS query log showing sequential lookups: first to ip-api.com for geolocation profiling, then to api.maranhaogang.fun which resolves to two Cloudflare proxy IP addresses.

DNS resolution results showing api.maranhaogang.fun resolving to Cloudflare edge IPs 172.67.144.96 and 104.21.71.100, confirming the attacker is using Cloudflare to proxy and protect their C2 infrastructure.

The C2 domain api.maranhaogang.fun resolves to Cloudflare edge nodes rather than the attacker’s actual server. This deliberate architecture makes attribution difficult, prevents IP-based blocking (blocking Cloudflare IPs would break legitimate sites), and provides resilience against takedowns.

Analyst Note: Cloudflare-proxied C2 infrastructure requires domain-based blocking rather than IP-based blocking. Add api.maranhaogang.fun to DNS sinkholes and web proxy blocklists. Blocking the Cloudflare IPs directly would cause significant collateral damage to legitimate traffic.

Answer Q19

What geolocation API did the malware query?

ip-api.com

Answer Q20

What is the IP address of the geolocation API?

208.95.112.1

Answer Q21

What are the two C2 IP addresses resolved via DNS?

172.67.144.96, 104.21.71.100

8. Conclusion

The Maranhão investigation traces a complete infostealer infection from a game mod download to domain credential theft. Key findings:

  1. Delivery: Trojanized game mod (Fnafdoomlauncher.exe) downloaded from Google Drive, hosted to bypass URL reputation filters.
  2. Execution: Inno Setup installer with /VERYSILENT flag deployed updater.exe (Node.js stealer) to a hidden AppData directory.
  3. Persistence: Registry Run key set at 10:13:27 UTC — 3 minutes after execution. Directory hidden via attrib +h +s.
  4. Fingerprinting: Five WMIC queries + Windows Product Key theft performed for full system profiling.
  5. Credential Theft: Edge killed via taskkill, credentials exfiltrated via ChromeDecryptIPC named pipe.
  6. C2: Cloudflare-proxied api.maranhaogang.fun with prior geolocation profiling via ip-api.com.

Key Takeaways for the SOC:

  1. Game mods are a persistent supply-chain threat. Employees downloading software from unofficial sources bypass enterprise procurement security. Application allowlisting is the only reliable control.
  2. /VERYSILENT is a red flag in Sysmon logs. Legitimate enterprise installers used by IT management tools do not typically suppress all UI. Automate an alert on this flag when the parent process is a user-initiated download.
  3. Named pipes for credential IPC are a hunting target. Add ChromeDecryptIPC* to your Sysmon Event ID 17 hunt queries — this is a cross-vendor browser stealer signature.
  4. Cloudflare-proxied C2 = Domain-based blocking required. Never attempt to block Cloudflare IPs. Maintain domain-level IOC blocking at your DNS resolver and web proxy.

Analysis Date: April 7, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Endpoint Forensics, Incident Response
cyberdefenders endpoint-forensics sysmon prefetch registry sqlite credential-theft c2 cloudflare wmic nodejs evtxecmd timeline-explorer
This post is licensed under CC BY 4.0 by the author.