Malware Analysis Report

2025-01-18 22:03

Sample ID 240622-dm4ansveme
Target 010574ec10956dc6f5bba79de8e8a868_JaffaCakes118
SHA256 4b365aa00d65dcea6b9194a3f2056f0839c23ce4f88fb4cade23c1a2836ed885
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b365aa00d65dcea6b9194a3f2056f0839c23ce4f88fb4cade23c1a2836ed885

Threat Level: Shows suspicious behavior

The file 010574ec10956dc6f5bba79de8e8a868_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 03:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 03:08

Reported

2024-06-22 03:10

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave Class" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} = "1" C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe

MD5 16ef6e914973925977cdc5ef6b8b2565
SHA1 4815da2815975b33f5dc94d482e6dbc02588afa6
SHA256 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512 c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\settings.ini

MD5 faa2024f7388b28541193d9380fd75e5
SHA1 a2957b381fcce680f222e217528f22f58029d93a
SHA256 0faa3a088913d35fb0d3e6865dafec49590797ebed59f0fbe104fdb848c2cfc1
SHA512 c6f0f872f98f20da0535ab50752ac3c37f86f714ef97cca7f983b1062640b988caf08741f0dd371791d185e6d9754837586cdbc8c87bf90b776d7cfccb521bab

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\bootstrap.js

MD5 e16c50c73ad0c26bbd7593f325288ea8
SHA1 283626b095dbfd2fa285cc8ddcc104ce994a5a62
SHA256 bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62
SHA512 ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\install.rdf

MD5 8c9083164a24c3a1635f67bae9ed0234
SHA1 2639e027baeb383b25852d45cd14ef27fa9ccf09
SHA256 c5ed38f5f685b9fd16c99a46c471275f5f68e044b4d51b0eb28e3bcec9df1047
SHA512 0ab598271f99aa768057ab8a9766aa59a8ac444cbf41a5f93c8ffae8311977b7c704f3e4a38fd8c330ae43b5402c5b33ef840b10a76be29f5aa3d2ab08bac7cc

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\chrome.manifest

MD5 2add96c9a90156fafb11de0425e55ca5
SHA1 75ad9a976990579e1dcad37ff66f25a49d77a057
SHA256 278f4d605c24c223d97343253f5490a2187e6f56ac153856eb0a46e2bec730c9
SHA512 cf4e68d3748ac659f2bdd7a029e36a1b4f73bfe3281531ce21ebf85eddd2cb94f2643f5f464813032ac91eaf9c4d045242fcde1f1d48695f0ff97ede99afd1fb

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\content\bg.js

MD5 f1b770558cfd7f7804683bbdef4da2a9
SHA1 996ff052f2ac63a4dd0effb0fbb76ef0d7e66ed5
SHA256 5ecd54748cb2c61c784b8afa179bc178e90560468245bf78a92964c264f1d56f
SHA512 df2d485b0decf9a7a82d6a4b443bdcb9c4bd6f792935aa49d3073a1236477643335f201c009d65f7ede6d280a5876caf62a0870d501955cb0153248bebf18ef1

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\content\zy.xul

MD5 9c5dc933b4785b5ef632b39a1d60d5ad
SHA1 1ff05095e13be95b0145b4f93c83d838e4824720
SHA256 1db1a94ae056c978fa06f9eb9fbbcbdcf8d108ab323b68f7e97eb521a394b471
SHA512 7fc18b7b245153208bb039981a6b02eefdc2d65e4934320b1199ccc007c96dd30bcc59f3a4f604fd99fc77c12ac4b36bc0e7d4cfda398dbe1bf9240e0d504dcd

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\mghigdnmklgblclcggciiogdpbeachbi.crx

MD5 f8af74cd9977ca5f9076a27b2b36f1a0
SHA1 99da8b757a6be9a30a69852dfb9977ce8ab146a2
SHA256 eae99c624a34738896337b836878337d723215b1d7b7861cf99b342f520392d8
SHA512 b4a08aeac03a1f0e5efc2518b3e192e41f9aa92508c3b09676965dffaf557615ef62617f3cd3d252c570a92435e2ba8abf5457a47c8ea54db6ea2043ac7e5953

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\background.html

MD5 b8404b77c230aa8abf90230bf00be8a8
SHA1 b546a421a5735058242b4591d377fb130a32d473
SHA256 82a7e88e571dbffae0b548d1c0140ee412f994ac8753a74c615faca56753d505
SHA512 a170ede547a4276af37ba9577bf5ea04e2e09154746e583b266c43ae7ae9b4baf37849d3d71a8c7bc4daf83cd9a7369b4284550eecfc5b314ff7d4c6208e1fbe

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\content.js

MD5 16fd8925a166e057942e972a53e356c9
SHA1 d966509b7f4cfbef34b9e51e9a468a09fe20c658
SHA256 69f963d260002368cce0e40d1f17f9e964745458281ce19fe92667c43305d720
SHA512 d59942f007129259727f0abefd80233e08820ec4d289b7b757cee9370d93cf8ca1f1900d00aa089b36da1ef17c9764807b1c2e6d685f9dbf605d127df7c6bf17

C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\bhoclass.dll

MD5 4b35f6c1f932f52fa9901fbc47b432df
SHA1 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA256 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA512 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

C:\ProgramData\DownloadnSave\uninstall.exe

MD5 8be20144dbd200c6de0c9430ed9280cf
SHA1 b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512 fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 03:08

Reported

2024-06-22 03:10

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave Class" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} = "1" C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe

MD5 16ef6e914973925977cdc5ef6b8b2565
SHA1 4815da2815975b33f5dc94d482e6dbc02588afa6
SHA256 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512 c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\settings.ini

MD5 faa2024f7388b28541193d9380fd75e5
SHA1 a2957b381fcce680f222e217528f22f58029d93a
SHA256 0faa3a088913d35fb0d3e6865dafec49590797ebed59f0fbe104fdb848c2cfc1
SHA512 c6f0f872f98f20da0535ab50752ac3c37f86f714ef97cca7f983b1062640b988caf08741f0dd371791d185e6d9754837586cdbc8c87bf90b776d7cfccb521bab

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\bootstrap.js

MD5 e16c50c73ad0c26bbd7593f325288ea8
SHA1 283626b095dbfd2fa285cc8ddcc104ce994a5a62
SHA256 bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62
SHA512 ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\chrome.manifest

MD5 2add96c9a90156fafb11de0425e55ca5
SHA1 75ad9a976990579e1dcad37ff66f25a49d77a057
SHA256 278f4d605c24c223d97343253f5490a2187e6f56ac153856eb0a46e2bec730c9
SHA512 cf4e68d3748ac659f2bdd7a029e36a1b4f73bfe3281531ce21ebf85eddd2cb94f2643f5f464813032ac91eaf9c4d045242fcde1f1d48695f0ff97ede99afd1fb

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\install.rdf

MD5 8c9083164a24c3a1635f67bae9ed0234
SHA1 2639e027baeb383b25852d45cd14ef27fa9ccf09
SHA256 c5ed38f5f685b9fd16c99a46c471275f5f68e044b4d51b0eb28e3bcec9df1047
SHA512 0ab598271f99aa768057ab8a9766aa59a8ac444cbf41a5f93c8ffae8311977b7c704f3e4a38fd8c330ae43b5402c5b33ef840b10a76be29f5aa3d2ab08bac7cc

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\content\bg.js

MD5 f1b770558cfd7f7804683bbdef4da2a9
SHA1 996ff052f2ac63a4dd0effb0fbb76ef0d7e66ed5
SHA256 5ecd54748cb2c61c784b8afa179bc178e90560468245bf78a92964c264f1d56f
SHA512 df2d485b0decf9a7a82d6a4b443bdcb9c4bd6f792935aa49d3073a1236477643335f201c009d65f7ede6d280a5876caf62a0870d501955cb0153248bebf18ef1

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\content\zy.xul

MD5 9c5dc933b4785b5ef632b39a1d60d5ad
SHA1 1ff05095e13be95b0145b4f93c83d838e4824720
SHA256 1db1a94ae056c978fa06f9eb9fbbcbdcf8d108ab323b68f7e97eb521a394b471
SHA512 7fc18b7b245153208bb039981a6b02eefdc2d65e4934320b1199ccc007c96dd30bcc59f3a4f604fd99fc77c12ac4b36bc0e7d4cfda398dbe1bf9240e0d504dcd

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\mghigdnmklgblclcggciiogdpbeachbi.crx

MD5 f8af74cd9977ca5f9076a27b2b36f1a0
SHA1 99da8b757a6be9a30a69852dfb9977ce8ab146a2
SHA256 eae99c624a34738896337b836878337d723215b1d7b7861cf99b342f520392d8
SHA512 b4a08aeac03a1f0e5efc2518b3e192e41f9aa92508c3b09676965dffaf557615ef62617f3cd3d252c570a92435e2ba8abf5457a47c8ea54db6ea2043ac7e5953

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\background.html

MD5 b8404b77c230aa8abf90230bf00be8a8
SHA1 b546a421a5735058242b4591d377fb130a32d473
SHA256 82a7e88e571dbffae0b548d1c0140ee412f994ac8753a74c615faca56753d505
SHA512 a170ede547a4276af37ba9577bf5ea04e2e09154746e583b266c43ae7ae9b4baf37849d3d71a8c7bc4daf83cd9a7369b4284550eecfc5b314ff7d4c6208e1fbe

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\content.js

MD5 16fd8925a166e057942e972a53e356c9
SHA1 d966509b7f4cfbef34b9e51e9a468a09fe20c658
SHA256 69f963d260002368cce0e40d1f17f9e964745458281ce19fe92667c43305d720
SHA512 d59942f007129259727f0abefd80233e08820ec4d289b7b757cee9370d93cf8ca1f1900d00aa089b36da1ef17c9764807b1c2e6d685f9dbf605d127df7c6bf17

C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\bhoclass.dll

MD5 4b35f6c1f932f52fa9901fbc47b432df
SHA1 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA256 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA512 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

C:\ProgramData\DownloadnSave\uninstall.exe

MD5 8be20144dbd200c6de0c9430ed9280cf
SHA1 b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512 fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e