Analysis Overview
SHA256
442ed9cc339b9fdc08e5a94c63a0448f1fcc66a94d91102a29cbef03ffcf6b87
Threat Level: Shows suspicious behavior
The file f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops Chrome extension
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
System policy modification
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 10:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 10:01
Reported
2024-04-15 10:03
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eifdahbihjkckaogeoggalbobklkhjlm\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID\ = "wxDownload.1" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.tlb" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDownload" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe
.\50fa5ff325cda.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\settings.ini
| MD5 | 855c6b5c73a00d8cec64cd5919067ed5 |
| SHA1 | 7cb1d326222dc9e641bb107306c675b18f0a62db |
| SHA256 | c252e7daab3136b210af78c0b5e6642e20f221b388a3c388ccc1d5d5fadd9726 |
| SHA512 | 2cd7195f07636de6e9becd90364ddf13c8b3677a2e6cd53feb8c4e5984b47a260835bcfba0e48306b9f9123f8574722776e26a8c90ebf4fa0ff9112e6cef0537 |
\Users\Admin\AppData\Local\Temp\nstE54.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\bootstrap.js
| MD5 | 987b5bca5f3ec3dbfb7aaed43b935212 |
| SHA1 | e10f77dfab4c219a26d764221a44be94c1a352f7 |
| SHA256 | 3bdd7bc4da8918219ae607c7c4512b2c1c4b41d289a273c1986987d1ff30475e |
| SHA512 | b1822a79af812aec1d126e648b10f0439a077c7d7b170425be6ace39844002596c05f419797e2acb6059901ea23ee8b09ef99144e008aba9477fce7a7ef294ce |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\chrome.manifest
| MD5 | a8e8c2c03902912d3419b10941879892 |
| SHA1 | 84c401315c68c54be957ee87d1f22153b60e6283 |
| SHA256 | fe04d2d8eef290a82fcbcf3e9d066b752fcd6e16007c74b0207a343e9713643e |
| SHA512 | 9bf5194b8a7e2df886a8894b220e4dcf2042c4239e0de7496011fe49fc01bcda5f072ff4c94b4da5cdff44cd1ccf624ef62512d95fa015227ddafd9b3eb184c0 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\install.rdf
| MD5 | 69eb4405d3b08890aba7d67a65ab155e |
| SHA1 | 93cb69717520fded52906cff7d8b2b693b33161a |
| SHA256 | 49635a68903beeb0ce00d78a1f564d1d32ddd560967b5b376b3df7e31cf780c6 |
| SHA512 | 19fd9849633dd6dbaf994c03995ebd1738b1367a21c10b1f9e269dfffd5a9b59fd7b820cbbf51770ce1fac85b2ff0ac2d2842044f9332be9d9dd0ee8d32974d6 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\content\bg.js
| MD5 | 5cca3662526f927f9d2b75e7a8e673dd |
| SHA1 | 6f3ccce2088999f3245798e657fa7386bdf7b8e5 |
| SHA256 | 0450acd9edfb9018d6b214241682e33e9666b704f5719ba779aa02229011ad7e |
| SHA512 | 6baac0f67a76d211af50e169ffc8e1e4ba88488e0522ee0de30f933b97cd15987385fb134a2401ade1f65d78977d47a8a57c9022b32fb2983b8692cb459540af |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\content\zy.xul
| MD5 | 9099258a309085bc65125ceced2a41ef |
| SHA1 | 405453efba0510833b86a76811072b3cebc3b464 |
| SHA256 | a785892a61cb6dee39d17b7860f417bb2539c0a474eaf7fd6cfbe1579405962a |
| SHA512 | 7341e50f2c5c4094317c7619c51b9289d5867ad66b2be90ee104c3278a86200f47c3fae187a8e2219c566b46ad58019c7fac66934207e860866da8b4de9da5f4 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\50fa5ff325ae94.47095869.js
| MD5 | 1470a6eb8ed3821d395788cca74cf282 |
| SHA1 | d35b4dced55a0ac2e325bd97e6dbbffc808c7b02 |
| SHA256 | 485a055233a8493681ae279437126d5338bb431d49202ee1bde1f270df9693e2 |
| SHA512 | 3e6f1d8da5be07d2a73d5929061f44fb6976911882f0e93b50b2d759374136c6947d6d4ff401b5ed82c09b7a5fea96ab827b7c9544608e30b35259cf30ebbf02 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\background.html
| MD5 | 11ac65fa679ada1bb63fa9b7192ed446 |
| SHA1 | 5a8404b83ebab6c002ef0fd5cb6bce19eec2b767 |
| SHA256 | 7cd0d5a98e06b99c5e68b5d56b8bf8132fe47aec943ab512359e13c37edccc60 |
| SHA512 | 7dc50ebfbb3576ad9c8e2eeeea5282efce97a5c980bf2fd1945beda2fadf6b8cf00e82c4b06e826000237f0b3865a3ee91e81d6a010b5856cea8e6fb2418fae0 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\manifest.json
| MD5 | 4fc1d698abe902d55e60be1d3e32724a |
| SHA1 | 07da8fda75df08b6ba2494246ba1e6d1d4873810 |
| SHA256 | 4c4b5ed58b428b592b4d5dc264cc0064a55754ef21a8c0173dcbe91d832efef1 |
| SHA512 | 482e1b5bb4a01394d4c8664aca1240d548234c114be3efbb4cb958f37bf6339bec9bd3babaf3f718fa4fe199cbe644fee0321bad769a175830eb3426d9ddd447 |
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\sqlite.js
| MD5 | c3c5b302c01b2994206ff5d399b07fc6 |
| SHA1 | e84fd9986a6350e0a0e11d7fb117ad65a58ddca3 |
| SHA256 | 6c1f67bbe1086f70ce08454582086a7dbbe715948f0b04a7696d276f1eae49d0 |
| SHA512 | 64964659818c8c93ecf91e41305b427258f2ffbe76ebfff53e62003837d2d5f89a608f5755494629f088636e1f5b9ffb5a7e8eef5e4ec5e5a82d746584942f1e |
\Users\Admin\AppData\Local\Temp\nstE54.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
C:\ProgramData\wxDownload\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |
C:\ProgramData\wxDownload\50fa5ff325d13.tlb
| MD5 | 1f14de44d0d63a79f91d3fe90badb5fc |
| SHA1 | 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e |
| SHA256 | bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c |
| SHA512 | 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c |
C:\ProgramData\wxDownload\50fa5ff325d13.dll
| MD5 | da161da8bcb9b8032908cc303602f2ee |
| SHA1 | 8a2d5e5b32376a40f33d6c9881001425ec025205 |
| SHA256 | 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e |
| SHA512 | 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c |
memory/2664-87-0x0000000074D40000-0x0000000074D4A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 10:01
Reported
2024-04-15 10:03
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
113s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eifdahbihjkckaogeoggalbobklkhjlm\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID\ = "wxDownload.1" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.dll" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDownload" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5084 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe |
| PID 5084 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe |
| PID 5084 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe
.\50fa5ff325cda.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\nsu3809.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\settings.ini
| MD5 | 855c6b5c73a00d8cec64cd5919067ed5 |
| SHA1 | 7cb1d326222dc9e641bb107306c675b18f0a62db |
| SHA256 | c252e7daab3136b210af78c0b5e6642e20f221b388a3c388ccc1d5d5fadd9726 |
| SHA512 | 2cd7195f07636de6e9becd90364ddf13c8b3677a2e6cd53feb8c4e5984b47a260835bcfba0e48306b9f9123f8574722776e26a8c90ebf4fa0ff9112e6cef0537 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\bootstrap.js
| MD5 | 987b5bca5f3ec3dbfb7aaed43b935212 |
| SHA1 | e10f77dfab4c219a26d764221a44be94c1a352f7 |
| SHA256 | 3bdd7bc4da8918219ae607c7c4512b2c1c4b41d289a273c1986987d1ff30475e |
| SHA512 | b1822a79af812aec1d126e648b10f0439a077c7d7b170425be6ace39844002596c05f419797e2acb6059901ea23ee8b09ef99144e008aba9477fce7a7ef294ce |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\chrome.manifest
| MD5 | a8e8c2c03902912d3419b10941879892 |
| SHA1 | 84c401315c68c54be957ee87d1f22153b60e6283 |
| SHA256 | fe04d2d8eef290a82fcbcf3e9d066b752fcd6e16007c74b0207a343e9713643e |
| SHA512 | 9bf5194b8a7e2df886a8894b220e4dcf2042c4239e0de7496011fe49fc01bcda5f072ff4c94b4da5cdff44cd1ccf624ef62512d95fa015227ddafd9b3eb184c0 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\install.rdf
| MD5 | 69eb4405d3b08890aba7d67a65ab155e |
| SHA1 | 93cb69717520fded52906cff7d8b2b693b33161a |
| SHA256 | 49635a68903beeb0ce00d78a1f564d1d32ddd560967b5b376b3df7e31cf780c6 |
| SHA512 | 19fd9849633dd6dbaf994c03995ebd1738b1367a21c10b1f9e269dfffd5a9b59fd7b820cbbf51770ce1fac85b2ff0ac2d2842044f9332be9d9dd0ee8d32974d6 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\content\bg.js
| MD5 | 5cca3662526f927f9d2b75e7a8e673dd |
| SHA1 | 6f3ccce2088999f3245798e657fa7386bdf7b8e5 |
| SHA256 | 0450acd9edfb9018d6b214241682e33e9666b704f5719ba779aa02229011ad7e |
| SHA512 | 6baac0f67a76d211af50e169ffc8e1e4ba88488e0522ee0de30f933b97cd15987385fb134a2401ade1f65d78977d47a8a57c9022b32fb2983b8692cb459540af |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\content\zy.xul
| MD5 | 9099258a309085bc65125ceced2a41ef |
| SHA1 | 405453efba0510833b86a76811072b3cebc3b464 |
| SHA256 | a785892a61cb6dee39d17b7860f417bb2539c0a474eaf7fd6cfbe1579405962a |
| SHA512 | 7341e50f2c5c4094317c7619c51b9289d5867ad66b2be90ee104c3278a86200f47c3fae187a8e2219c566b46ad58019c7fac66934207e860866da8b4de9da5f4 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\50fa5ff325ae94.47095869.js
| MD5 | 1470a6eb8ed3821d395788cca74cf282 |
| SHA1 | d35b4dced55a0ac2e325bd97e6dbbffc808c7b02 |
| SHA256 | 485a055233a8493681ae279437126d5338bb431d49202ee1bde1f270df9693e2 |
| SHA512 | 3e6f1d8da5be07d2a73d5929061f44fb6976911882f0e93b50b2d759374136c6947d6d4ff401b5ed82c09b7a5fea96ab827b7c9544608e30b35259cf30ebbf02 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\background.html
| MD5 | 11ac65fa679ada1bb63fa9b7192ed446 |
| SHA1 | 5a8404b83ebab6c002ef0fd5cb6bce19eec2b767 |
| SHA256 | 7cd0d5a98e06b99c5e68b5d56b8bf8132fe47aec943ab512359e13c37edccc60 |
| SHA512 | 7dc50ebfbb3576ad9c8e2eeeea5282efce97a5c980bf2fd1945beda2fadf6b8cf00e82c4b06e826000237f0b3865a3ee91e81d6a010b5856cea8e6fb2418fae0 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\manifest.json
| MD5 | 4fc1d698abe902d55e60be1d3e32724a |
| SHA1 | 07da8fda75df08b6ba2494246ba1e6d1d4873810 |
| SHA256 | 4c4b5ed58b428b592b4d5dc264cc0064a55754ef21a8c0173dcbe91d832efef1 |
| SHA512 | 482e1b5bb4a01394d4c8664aca1240d548234c114be3efbb4cb958f37bf6339bec9bd3babaf3f718fa4fe199cbe644fee0321bad769a175830eb3426d9ddd447 |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\sqlite.js
| MD5 | c3c5b302c01b2994206ff5d399b07fc6 |
| SHA1 | e84fd9986a6350e0a0e11d7fb117ad65a58ddca3 |
| SHA256 | 6c1f67bbe1086f70ce08454582086a7dbbe715948f0b04a7696d276f1eae49d0 |
| SHA512 | 64964659818c8c93ecf91e41305b427258f2ffbe76ebfff53e62003837d2d5f89a608f5755494629f088636e1f5b9ffb5a7e8eef5e4ec5e5a82d746584942f1e |
C:\Users\Admin\AppData\Local\Temp\nsu3809.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
memory/2992-79-0x0000000073E80000-0x0000000073E8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325d13.dll
| MD5 | da161da8bcb9b8032908cc303602f2ee |
| SHA1 | 8a2d5e5b32376a40f33d6c9881001425ec025205 |
| SHA256 | 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e |
| SHA512 | 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c |
C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325d13.tlb
| MD5 | 1f14de44d0d63a79f91d3fe90badb5fc |
| SHA1 | 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e |
| SHA256 | bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c |
| SHA512 | 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c |
C:\ProgramData\wxDownload\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |