Analysis Overview
SHA256
4b365aa00d65dcea6b9194a3f2056f0839c23ce4f88fb4cade23c1a2836ed885
Threat Level: Shows suspicious behavior
The file 010574ec10956dc6f5bba79de8e8a868_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 03:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 03:08
Reported
2024-06-22 03:10
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave Class" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 924 wrote to memory of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe |
| PID 924 wrote to memory of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe |
| PID 924 wrote to memory of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\settings.ini
| MD5 | faa2024f7388b28541193d9380fd75e5 |
| SHA1 | a2957b381fcce680f222e217528f22f58029d93a |
| SHA256 | 0faa3a088913d35fb0d3e6865dafec49590797ebed59f0fbe104fdb848c2cfc1 |
| SHA512 | c6f0f872f98f20da0535ab50752ac3c37f86f714ef97cca7f983b1062640b988caf08741f0dd371791d185e6d9754837586cdbc8c87bf90b776d7cfccb521bab |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\bootstrap.js
| MD5 | e16c50c73ad0c26bbd7593f325288ea8 |
| SHA1 | 283626b095dbfd2fa285cc8ddcc104ce994a5a62 |
| SHA256 | bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62 |
| SHA512 | ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\install.rdf
| MD5 | 8c9083164a24c3a1635f67bae9ed0234 |
| SHA1 | 2639e027baeb383b25852d45cd14ef27fa9ccf09 |
| SHA256 | c5ed38f5f685b9fd16c99a46c471275f5f68e044b4d51b0eb28e3bcec9df1047 |
| SHA512 | 0ab598271f99aa768057ab8a9766aa59a8ac444cbf41a5f93c8ffae8311977b7c704f3e4a38fd8c330ae43b5402c5b33ef840b10a76be29f5aa3d2ab08bac7cc |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\chrome.manifest
| MD5 | 2add96c9a90156fafb11de0425e55ca5 |
| SHA1 | 75ad9a976990579e1dcad37ff66f25a49d77a057 |
| SHA256 | 278f4d605c24c223d97343253f5490a2187e6f56ac153856eb0a46e2bec730c9 |
| SHA512 | cf4e68d3748ac659f2bdd7a029e36a1b4f73bfe3281531ce21ebf85eddd2cb94f2643f5f464813032ac91eaf9c4d045242fcde1f1d48695f0ff97ede99afd1fb |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\content\bg.js
| MD5 | f1b770558cfd7f7804683bbdef4da2a9 |
| SHA1 | 996ff052f2ac63a4dd0effb0fbb76ef0d7e66ed5 |
| SHA256 | 5ecd54748cb2c61c784b8afa179bc178e90560468245bf78a92964c264f1d56f |
| SHA512 | df2d485b0decf9a7a82d6a4b443bdcb9c4bd6f792935aa49d3073a1236477643335f201c009d65f7ede6d280a5876caf62a0870d501955cb0153248bebf18ef1 |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\[email protected]\content\zy.xul
| MD5 | 9c5dc933b4785b5ef632b39a1d60d5ad |
| SHA1 | 1ff05095e13be95b0145b4f93c83d838e4824720 |
| SHA256 | 1db1a94ae056c978fa06f9eb9fbbcbdcf8d108ab323b68f7e97eb521a394b471 |
| SHA512 | 7fc18b7b245153208bb039981a6b02eefdc2d65e4934320b1199ccc007c96dd30bcc59f3a4f604fd99fc77c12ac4b36bc0e7d4cfda398dbe1bf9240e0d504dcd |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\mghigdnmklgblclcggciiogdpbeachbi.crx
| MD5 | f8af74cd9977ca5f9076a27b2b36f1a0 |
| SHA1 | 99da8b757a6be9a30a69852dfb9977ce8ab146a2 |
| SHA256 | eae99c624a34738896337b836878337d723215b1d7b7861cf99b342f520392d8 |
| SHA512 | b4a08aeac03a1f0e5efc2518b3e192e41f9aa92508c3b09676965dffaf557615ef62617f3cd3d252c570a92435e2ba8abf5457a47c8ea54db6ea2043ac7e5953 |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\background.html
| MD5 | b8404b77c230aa8abf90230bf00be8a8 |
| SHA1 | b546a421a5735058242b4591d377fb130a32d473 |
| SHA256 | 82a7e88e571dbffae0b548d1c0140ee412f994ac8753a74c615faca56753d505 |
| SHA512 | a170ede547a4276af37ba9577bf5ea04e2e09154746e583b266c43ae7ae9b4baf37849d3d71a8c7bc4daf83cd9a7369b4284550eecfc5b314ff7d4c6208e1fbe |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\content.js
| MD5 | 16fd8925a166e057942e972a53e356c9 |
| SHA1 | d966509b7f4cfbef34b9e51e9a468a09fe20c658 |
| SHA256 | 69f963d260002368cce0e40d1f17f9e964745458281ce19fe92667c43305d720 |
| SHA512 | d59942f007129259727f0abefd80233e08820ec4d289b7b757cee9370d93cf8ca1f1900d00aa089b36da1ef17c9764807b1c2e6d685f9dbf605d127df7c6bf17 |
C:\Users\Admin\AppData\Local\Temp\7zS3EED.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\DownloadnSave\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 03:08
Reported
2024-06-22 03:10
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\ = "DownloadnSave Class" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB19BED2-2179-AB2F-6E23-A80E3EF5E89F} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\010574ec10956dc6f5bba79de8e8a868_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS1381.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\settings.ini
| MD5 | faa2024f7388b28541193d9380fd75e5 |
| SHA1 | a2957b381fcce680f222e217528f22f58029d93a |
| SHA256 | 0faa3a088913d35fb0d3e6865dafec49590797ebed59f0fbe104fdb848c2cfc1 |
| SHA512 | c6f0f872f98f20da0535ab50752ac3c37f86f714ef97cca7f983b1062640b988caf08741f0dd371791d185e6d9754837586cdbc8c87bf90b776d7cfccb521bab |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\bootstrap.js
| MD5 | e16c50c73ad0c26bbd7593f325288ea8 |
| SHA1 | 283626b095dbfd2fa285cc8ddcc104ce994a5a62 |
| SHA256 | bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62 |
| SHA512 | ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\chrome.manifest
| MD5 | 2add96c9a90156fafb11de0425e55ca5 |
| SHA1 | 75ad9a976990579e1dcad37ff66f25a49d77a057 |
| SHA256 | 278f4d605c24c223d97343253f5490a2187e6f56ac153856eb0a46e2bec730c9 |
| SHA512 | cf4e68d3748ac659f2bdd7a029e36a1b4f73bfe3281531ce21ebf85eddd2cb94f2643f5f464813032ac91eaf9c4d045242fcde1f1d48695f0ff97ede99afd1fb |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\install.rdf
| MD5 | 8c9083164a24c3a1635f67bae9ed0234 |
| SHA1 | 2639e027baeb383b25852d45cd14ef27fa9ccf09 |
| SHA256 | c5ed38f5f685b9fd16c99a46c471275f5f68e044b4d51b0eb28e3bcec9df1047 |
| SHA512 | 0ab598271f99aa768057ab8a9766aa59a8ac444cbf41a5f93c8ffae8311977b7c704f3e4a38fd8c330ae43b5402c5b33ef840b10a76be29f5aa3d2ab08bac7cc |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\content\bg.js
| MD5 | f1b770558cfd7f7804683bbdef4da2a9 |
| SHA1 | 996ff052f2ac63a4dd0effb0fbb76ef0d7e66ed5 |
| SHA256 | 5ecd54748cb2c61c784b8afa179bc178e90560468245bf78a92964c264f1d56f |
| SHA512 | df2d485b0decf9a7a82d6a4b443bdcb9c4bd6f792935aa49d3073a1236477643335f201c009d65f7ede6d280a5876caf62a0870d501955cb0153248bebf18ef1 |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\[email protected]\content\zy.xul
| MD5 | 9c5dc933b4785b5ef632b39a1d60d5ad |
| SHA1 | 1ff05095e13be95b0145b4f93c83d838e4824720 |
| SHA256 | 1db1a94ae056c978fa06f9eb9fbbcbdcf8d108ab323b68f7e97eb521a394b471 |
| SHA512 | 7fc18b7b245153208bb039981a6b02eefdc2d65e4934320b1199ccc007c96dd30bcc59f3a4f604fd99fc77c12ac4b36bc0e7d4cfda398dbe1bf9240e0d504dcd |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\mghigdnmklgblclcggciiogdpbeachbi.crx
| MD5 | f8af74cd9977ca5f9076a27b2b36f1a0 |
| SHA1 | 99da8b757a6be9a30a69852dfb9977ce8ab146a2 |
| SHA256 | eae99c624a34738896337b836878337d723215b1d7b7861cf99b342f520392d8 |
| SHA512 | b4a08aeac03a1f0e5efc2518b3e192e41f9aa92508c3b09676965dffaf557615ef62617f3cd3d252c570a92435e2ba8abf5457a47c8ea54db6ea2043ac7e5953 |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\background.html
| MD5 | b8404b77c230aa8abf90230bf00be8a8 |
| SHA1 | b546a421a5735058242b4591d377fb130a32d473 |
| SHA256 | 82a7e88e571dbffae0b548d1c0140ee412f994ac8753a74c615faca56753d505 |
| SHA512 | a170ede547a4276af37ba9577bf5ea04e2e09154746e583b266c43ae7ae9b4baf37849d3d71a8c7bc4daf83cd9a7369b4284550eecfc5b314ff7d4c6208e1fbe |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\content.js
| MD5 | 16fd8925a166e057942e972a53e356c9 |
| SHA1 | d966509b7f4cfbef34b9e51e9a468a09fe20c658 |
| SHA256 | 69f963d260002368cce0e40d1f17f9e964745458281ce19fe92667c43305d720 |
| SHA512 | d59942f007129259727f0abefd80233e08820ec4d289b7b757cee9370d93cf8ca1f1900d00aa089b36da1ef17c9764807b1c2e6d685f9dbf605d127df7c6bf17 |
C:\Users\Admin\AppData\Local\Temp\7zS1381.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\DownloadnSave\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |