Analysis Overview
SHA256
36a9766d3a046fce6fe99e1dd44d47c139e122e81c820861bf875e29f8c48283
Threat Level: Shows suspicious behavior
The file efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Drops Chrome extension
Installs/modifies Browser Helper Object
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-14 23:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-14 23:58
Reported
2024-04-15 00:01
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pojanldgniankjbdaokompnocadfddoh\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.dll" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID\ = "SaveSale.1" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\SaveSale" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe
.\50f966319574b.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\settings.ini
| MD5 | 83e13cf909711be62910a2f76d635ce1 |
| SHA1 | 0de9542b2b41720220b5a8c9d024097a5cb5b30f |
| SHA256 | d15d6c301d3f71ebd9b8432849c87c571d48d4fe4244ee17ced53f368876f7f2 |
| SHA512 | 3fed61f36f72ef3bb8f8b02b49edad3954b2651a5034acc378c988b6abdab68d7f42bb99addf148559e2016f214dacfdf887e2ad8bd8841fb3aab28ae1b7a538 |
\Users\Admin\AppData\Local\Temp\nsy5DF9.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\chrome.manifest
| MD5 | 62d2e7d87e4c96fa899fb5189046ef24 |
| SHA1 | 77347b5d444b1ea89333450020104ef7653ef4fc |
| SHA256 | 562c75fb95007baacfb43f809d00c3c3a44bbe5f6d36ee552bcbb33f2b9b6fb4 |
| SHA512 | cafbca9ce42659996ddb9eabc022176e2c5f15a8662fad505c74cb0304305900c092d3a10e7044480a5a7c99b6c99f8e028f6593b4fdf39916041036e90aa5c0 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\bootstrap.js
| MD5 | 1f888fc620ec8111471c9344ef8c0896 |
| SHA1 | d72a0a1d33e66ec1759a0b94c78cebb7578c01de |
| SHA256 | d15cc8ad247aafa73e9cf28e6b2a380906ad72c9fdd80226a0a6922b109250fe |
| SHA512 | e7462f8c0a1fb3f6f90dc33711700876ec29c4f2e0c6aa87fa0487955ef5755aa1aa31c076e8e46b48f51935d78295797b8ca0e6fc81122c48704777cfdaf0e1 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\install.rdf
| MD5 | 0cda931073cd2995ef23812f5205ec52 |
| SHA1 | d36e25347164f3c0e3569486502251fc845a3318 |
| SHA256 | 5e1233f272872ec1ce234f04353d8fbf7aaf17f893c7deb5fd3366dcbe79b80e |
| SHA512 | b2033a80f0b04e9cdbfc6d3640e2ba7fed0af75bbe286f6ccfc4f45ee40c2024a609507908ad607ceff1d0407cd7e71c389bf030a17ee196c5f99e5d6c47fddd |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\content\bg.js
| MD5 | 9e5854b698a3573be17795abd100c275 |
| SHA1 | f5963bb76f7d10411fa35862c360f6ba7520dff1 |
| SHA256 | e17678ce8754f88ad079727ac420af9f0dcf990d41d0038939595eb502cfea7a |
| SHA512 | 664c647aef02948b1225e9a7ab3fb7103a8dcd5000fb3ade5a36b1a229be45a945125627a639f886555eefd38fefb6cf19ed03e2d889793b8996a883d75cd876 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\content\zy.xul
| MD5 | 990a13b857dcd3608f7843a11e95c5b7 |
| SHA1 | cf151703c75f40679a4ea26ea8827305925acaa4 |
| SHA256 | f904b005baf4e7ba33d01399ed73adb744b0a0c4ff0314587d3af14a320eccb8 |
| SHA512 | d8a38f347b0ed26207f7c2af22ee7cebf16911762a01d757b7fc10e2eb06e213fb2ba9047a171cb05564b8193f1a172f16735ad48c9bab38524a98bc7ea83636 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\50f96631955797.13618994.js
| MD5 | 33adf0a56be978372efb8e0d83146929 |
| SHA1 | aa363355ed005361f5bca651f8f057e86a01cb9e |
| SHA256 | 1d4224726fbca8654712e0b8eb45bc0e380783aa4c90fa42969cdf9c9f5229b5 |
| SHA512 | 5d3e8608b1e2d7cfec36952224c7cd4e95f4ddcf98d60a2defd4298ac47b8b3993f60163ce53944c5e069ecae86a2f84e2b090c46d2431f53d6620772c3b5bc7 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\background.html
| MD5 | 5876994e5c97bc42f7ec17fecd2b6dcc |
| SHA1 | 409853654c6e8266ede70cf74d033523f373dc99 |
| SHA256 | 579b9faa35ffeab00d843cceb0b7c3f78b7b6dcaf92ab56a0c63597cc05ffb8c |
| SHA512 | a59d18ba94bd261ed0ccd016feee1fe65302ee59f04c332612ad8f377521a9763d8610c417c041d75a2706ee41530d3e36ab0d936ced2fb7846bafeae7e733f1 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\manifest.json
| MD5 | f91cd42bdfe41bcc97d2eb37eafd8bd2 |
| SHA1 | c0dd02c8f7959b84bf6583d62ecd308651c37b6d |
| SHA256 | 6805fc1de5ccc99d653689693aeb3a390116b024eedc26b0ca00a7296ec422a5 |
| SHA512 | 8a043a54c40787174c0f167c0083899757803b06100189a9a485d86ebadfa791b83af0e8a502fd34c2b8b20ad9b4c82cf1c302234db69006cf089e0b7179ab2f |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\sqlite.js
| MD5 | 95d18c0759e713521b35ad403c644c51 |
| SHA1 | e93e5398d4d8dad423053d0a24210e05fe6515cd |
| SHA256 | 5adad0541b1225eb081161c56d4d02167cab4da7590e454f9073e34dfde5b249 |
| SHA512 | 9c8939c4012cda49b6ddaa918314d1776f5e89aff486faf2157d0f351a695a9b0c8d77904cb87f8b48e20f32769bf4982dbd5a119529959c7b19d876cb5fae0c |
\Users\Admin\AppData\Local\Temp\nsy5DF9.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
memory/2876-80-0x0000000075120000-0x000000007512A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f9663195781.dll
| MD5 | da161da8bcb9b8032908cc303602f2ee |
| SHA1 | 8a2d5e5b32376a40f33d6c9881001425ec025205 |
| SHA256 | 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e |
| SHA512 | 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c |
C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f9663195781.tlb
| MD5 | 1f14de44d0d63a79f91d3fe90badb5fc |
| SHA1 | 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e |
| SHA256 | bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c |
| SHA512 | 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c |
C:\ProgramData\SaveSale\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-14 23:58
Reported
2024-04-15 00:01
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pojanldgniankjbdaokompnocadfddoh\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID\ = "SaveSale.1" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\SaveSale" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.tlb" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1140 wrote to memory of 4648 | N/A | C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe |
| PID 1140 wrote to memory of 4648 | N/A | C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe |
| PID 1140 wrote to memory of 4648 | N/A | C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe
.\50f966319574b.exe /s
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\settings.ini
| MD5 | 83e13cf909711be62910a2f76d635ce1 |
| SHA1 | 0de9542b2b41720220b5a8c9d024097a5cb5b30f |
| SHA256 | d15d6c301d3f71ebd9b8432849c87c571d48d4fe4244ee17ced53f368876f7f2 |
| SHA512 | 3fed61f36f72ef3bb8f8b02b49edad3954b2651a5034acc378c988b6abdab68d7f42bb99addf148559e2016f214dacfdf887e2ad8bd8841fb3aab28ae1b7a538 |
C:\Users\Admin\AppData\Local\Temp\nsnF30C.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\bootstrap.js
| MD5 | 1f888fc620ec8111471c9344ef8c0896 |
| SHA1 | d72a0a1d33e66ec1759a0b94c78cebb7578c01de |
| SHA256 | d15cc8ad247aafa73e9cf28e6b2a380906ad72c9fdd80226a0a6922b109250fe |
| SHA512 | e7462f8c0a1fb3f6f90dc33711700876ec29c4f2e0c6aa87fa0487955ef5755aa1aa31c076e8e46b48f51935d78295797b8ca0e6fc81122c48704777cfdaf0e1 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\chrome.manifest
| MD5 | 62d2e7d87e4c96fa899fb5189046ef24 |
| SHA1 | 77347b5d444b1ea89333450020104ef7653ef4fc |
| SHA256 | 562c75fb95007baacfb43f809d00c3c3a44bbe5f6d36ee552bcbb33f2b9b6fb4 |
| SHA512 | cafbca9ce42659996ddb9eabc022176e2c5f15a8662fad505c74cb0304305900c092d3a10e7044480a5a7c99b6c99f8e028f6593b4fdf39916041036e90aa5c0 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\install.rdf
| MD5 | 0cda931073cd2995ef23812f5205ec52 |
| SHA1 | d36e25347164f3c0e3569486502251fc845a3318 |
| SHA256 | 5e1233f272872ec1ce234f04353d8fbf7aaf17f893c7deb5fd3366dcbe79b80e |
| SHA512 | b2033a80f0b04e9cdbfc6d3640e2ba7fed0af75bbe286f6ccfc4f45ee40c2024a609507908ad607ceff1d0407cd7e71c389bf030a17ee196c5f99e5d6c47fddd |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\content\bg.js
| MD5 | 9e5854b698a3573be17795abd100c275 |
| SHA1 | f5963bb76f7d10411fa35862c360f6ba7520dff1 |
| SHA256 | e17678ce8754f88ad079727ac420af9f0dcf990d41d0038939595eb502cfea7a |
| SHA512 | 664c647aef02948b1225e9a7ab3fb7103a8dcd5000fb3ade5a36b1a229be45a945125627a639f886555eefd38fefb6cf19ed03e2d889793b8996a883d75cd876 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\content\zy.xul
| MD5 | 990a13b857dcd3608f7843a11e95c5b7 |
| SHA1 | cf151703c75f40679a4ea26ea8827305925acaa4 |
| SHA256 | f904b005baf4e7ba33d01399ed73adb744b0a0c4ff0314587d3af14a320eccb8 |
| SHA512 | d8a38f347b0ed26207f7c2af22ee7cebf16911762a01d757b7fc10e2eb06e213fb2ba9047a171cb05564b8193f1a172f16735ad48c9bab38524a98bc7ea83636 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\50f96631955797.13618994.js
| MD5 | 33adf0a56be978372efb8e0d83146929 |
| SHA1 | aa363355ed005361f5bca651f8f057e86a01cb9e |
| SHA256 | 1d4224726fbca8654712e0b8eb45bc0e380783aa4c90fa42969cdf9c9f5229b5 |
| SHA512 | 5d3e8608b1e2d7cfec36952224c7cd4e95f4ddcf98d60a2defd4298ac47b8b3993f60163ce53944c5e069ecae86a2f84e2b090c46d2431f53d6620772c3b5bc7 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\background.html
| MD5 | 5876994e5c97bc42f7ec17fecd2b6dcc |
| SHA1 | 409853654c6e8266ede70cf74d033523f373dc99 |
| SHA256 | 579b9faa35ffeab00d843cceb0b7c3f78b7b6dcaf92ab56a0c63597cc05ffb8c |
| SHA512 | a59d18ba94bd261ed0ccd016feee1fe65302ee59f04c332612ad8f377521a9763d8610c417c041d75a2706ee41530d3e36ab0d936ced2fb7846bafeae7e733f1 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\manifest.json
| MD5 | f91cd42bdfe41bcc97d2eb37eafd8bd2 |
| SHA1 | c0dd02c8f7959b84bf6583d62ecd308651c37b6d |
| SHA256 | 6805fc1de5ccc99d653689693aeb3a390116b024eedc26b0ca00a7296ec422a5 |
| SHA512 | 8a043a54c40787174c0f167c0083899757803b06100189a9a485d86ebadfa791b83af0e8a502fd34c2b8b20ad9b4c82cf1c302234db69006cf089e0b7179ab2f |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\sqlite.js
| MD5 | 95d18c0759e713521b35ad403c644c51 |
| SHA1 | e93e5398d4d8dad423053d0a24210e05fe6515cd |
| SHA256 | 5adad0541b1225eb081161c56d4d02167cab4da7590e454f9073e34dfde5b249 |
| SHA512 | 9c8939c4012cda49b6ddaa918314d1776f5e89aff486faf2157d0f351a695a9b0c8d77904cb87f8b48e20f32769bf4982dbd5a119529959c7b19d876cb5fae0c |
C:\Users\Admin\AppData\Local\Temp\nsnF30C.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
memory/4648-78-0x0000000074CD0000-0x0000000074CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f9663195781.dll
| MD5 | da161da8bcb9b8032908cc303602f2ee |
| SHA1 | 8a2d5e5b32376a40f33d6c9881001425ec025205 |
| SHA256 | 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e |
| SHA512 | 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c |
C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f9663195781.tlb
| MD5 | 1f14de44d0d63a79f91d3fe90badb5fc |
| SHA1 | 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e |
| SHA256 | bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c |
| SHA512 | 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c |
C:\ProgramData\SaveSale\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |