Analysis Overview
SHA256
7cf4427e23e8695cfbb2da2063d62db1498517c16dc09354c97ab482193b0657
Threat Level: Shows suspicious behavior
The file 010d1e8425e031a9909d727322437cec_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 03:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 03:18
Reported
2024-06-22 03:21
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ = "DownloadnSave Class" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zSB37.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\settings.ini
| MD5 | 9107f3cf076e9058905ab5c5a986df80 |
| SHA1 | a14df716d51ba9547584048f9787842a3103ded5 |
| SHA256 | 3659b111c3e99bcfad277f43c520efd8270ca26c7184e2988d00d423fca335f0 |
| SHA512 | 151aeee182620a3271ebb0a99e9faf6854e20cbfa68917ee0234a15e4ee7e0cf3a465e364b7d8709d940de40f6ae69c763143646d66cfa7481cf23c535df9d6c |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\[email protected]\bootstrap.js
| MD5 | e16c50c73ad0c26bbd7593f325288ea8 |
| SHA1 | 283626b095dbfd2fa285cc8ddcc104ce994a5a62 |
| SHA256 | bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62 |
| SHA512 | ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\[email protected]\chrome.manifest
| MD5 | 75aacd972102f4a7646c9dafd2025699 |
| SHA1 | 9b3c5cf2c58adfd4bef56daebdd3f959341fd393 |
| SHA256 | c80d74021693bec1104b3b59b0dbee37074cb52cbee4d71e38d72443f64a6cac |
| SHA512 | 3d0c007fcfb76acebbbb91ffcc1c403aca73cbf933510d0c53e73e7b0d198c0555acadb03761ec762c717dca0bb2fea9d4cc57983769d305803ea60dc687b4a0 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\[email protected]\install.rdf
| MD5 | 447f40f492196aece9a5de5c9dace2b1 |
| SHA1 | b436fbdaf8bcb3a7034e53546e777a0d1a158de2 |
| SHA256 | 355e25e62b8630a1bceab17f13764538d00112c47943a3b330d9d6aa234648d4 |
| SHA512 | 8abdaccde3b1c0a4fcc7c3d7ed63a5d804e00daccf9197b6a016381c13a907bad6142175c7891aed53ce481f8b8df0ebdacdea9d100def32cdf99fb979398951 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\[email protected]\content\bg.js
| MD5 | d8596e5ffed042c151592e959d6eca74 |
| SHA1 | 5e12c834a21407ff40b4cc42da22e5ce62963ac9 |
| SHA256 | 0be514265660d3628a664a3aec09c540debf152d51948e4dd1f93f72027a373c |
| SHA512 | d8d9dc08130ea3dfcd8b621046598e52669ba3f80aaf653ffffcd4632bd4bc2f6ac35c64c51cb23f3e365c6608785c7dbd0596ded4702aae64ffe5ab9474cd63 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\[email protected]\content\zy.xul
| MD5 | 06ad5931cb66230c90288a2a25d91b5e |
| SHA1 | 2e7d6f088aa94938b394cd44e4778010d556e312 |
| SHA256 | 1b4ca7a8674090d268aaca30817b670c1d4eee5aee2217057b93b894f91039f3 |
| SHA512 | 1ed0554cbad640059d9502c8e32f0189aacbb2a52b498ed48365dcaae00f9211fecc1cbc706ef1ae5c36be09d57c8f923337ab268fe7f92d009a0836d2ef6f03 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\pbiccfpahiekdclejlljkkckpmibbbfc.crx
| MD5 | f00397782469c12e21d4494e2401b35e |
| SHA1 | 699a962e3e44e615d3a791f31c9ca00fd68ea06c |
| SHA256 | 22a7a64f27b7f8e8a868e3b3aaf8cfbc85353038b0dc5b8fdf443b8076318c5c |
| SHA512 | 2741cf9742b4924e423057ed5472adb5627a15ea0b8f777e89ff1aa6da775cc316d3048d4d8d6614120e4ae1ff9dbd7ad092354eed55fa03b5c9f07d958b1245 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\background.html
| MD5 | 9b73c6cb816181dba8127cf2c6c7aa02 |
| SHA1 | be24c153b3e08d9d7f057ae14bedcfa5627462a7 |
| SHA256 | 35e8ab58dce6b958ba25bba5c2f08ebcd2449741a0156e836d5652d5a4d02f1a |
| SHA512 | 0459b2fca3789cd0f522a275592e57712ca540b9602e5dd591c0b94ade6e9bd85b14c0abc20f3905ff6d6742294f2e1aeb216bd2c8c69c74862da79167e20296 |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\content.js
| MD5 | 845a451109b51ea8a851c89884a41401 |
| SHA1 | 94268e5f0f405bcd1856073664cb015c6148680a |
| SHA256 | 5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7 |
| SHA512 | 524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d |
C:\Users\Admin\AppData\Local\Temp\7zSB37.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\DownloadnSave\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 03:18
Reported
2024-06-22 03:21
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ = "DownloadnSave Class" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2388 wrote to memory of 368 | N/A | C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe |
| PID 2388 wrote to memory of 368 | N/A | C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe |
| PID 2388 wrote to memory of 368 | N/A | C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B5D9C5BB-5576-7F66-5F09-94E8540E16EB} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\010d1e8425e031a9909d727322437cec_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe
.\setup.exe /s
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\settings.ini
| MD5 | 9107f3cf076e9058905ab5c5a986df80 |
| SHA1 | a14df716d51ba9547584048f9787842a3103ded5 |
| SHA256 | 3659b111c3e99bcfad277f43c520efd8270ca26c7184e2988d00d423fca335f0 |
| SHA512 | 151aeee182620a3271ebb0a99e9faf6854e20cbfa68917ee0234a15e4ee7e0cf3a465e364b7d8709d940de40f6ae69c763143646d66cfa7481cf23c535df9d6c |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\[email protected]\install.rdf
| MD5 | 447f40f492196aece9a5de5c9dace2b1 |
| SHA1 | b436fbdaf8bcb3a7034e53546e777a0d1a158de2 |
| SHA256 | 355e25e62b8630a1bceab17f13764538d00112c47943a3b330d9d6aa234648d4 |
| SHA512 | 8abdaccde3b1c0a4fcc7c3d7ed63a5d804e00daccf9197b6a016381c13a907bad6142175c7891aed53ce481f8b8df0ebdacdea9d100def32cdf99fb979398951 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\[email protected]\chrome.manifest
| MD5 | 75aacd972102f4a7646c9dafd2025699 |
| SHA1 | 9b3c5cf2c58adfd4bef56daebdd3f959341fd393 |
| SHA256 | c80d74021693bec1104b3b59b0dbee37074cb52cbee4d71e38d72443f64a6cac |
| SHA512 | 3d0c007fcfb76acebbbb91ffcc1c403aca73cbf933510d0c53e73e7b0d198c0555acadb03761ec762c717dca0bb2fea9d4cc57983769d305803ea60dc687b4a0 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\[email protected]\bootstrap.js
| MD5 | e16c50c73ad0c26bbd7593f325288ea8 |
| SHA1 | 283626b095dbfd2fa285cc8ddcc104ce994a5a62 |
| SHA256 | bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62 |
| SHA512 | ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\[email protected]\content\bg.js
| MD5 | d8596e5ffed042c151592e959d6eca74 |
| SHA1 | 5e12c834a21407ff40b4cc42da22e5ce62963ac9 |
| SHA256 | 0be514265660d3628a664a3aec09c540debf152d51948e4dd1f93f72027a373c |
| SHA512 | d8d9dc08130ea3dfcd8b621046598e52669ba3f80aaf653ffffcd4632bd4bc2f6ac35c64c51cb23f3e365c6608785c7dbd0596ded4702aae64ffe5ab9474cd63 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\[email protected]\content\zy.xul
| MD5 | 06ad5931cb66230c90288a2a25d91b5e |
| SHA1 | 2e7d6f088aa94938b394cd44e4778010d556e312 |
| SHA256 | 1b4ca7a8674090d268aaca30817b670c1d4eee5aee2217057b93b894f91039f3 |
| SHA512 | 1ed0554cbad640059d9502c8e32f0189aacbb2a52b498ed48365dcaae00f9211fecc1cbc706ef1ae5c36be09d57c8f923337ab268fe7f92d009a0836d2ef6f03 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\pbiccfpahiekdclejlljkkckpmibbbfc.crx
| MD5 | f00397782469c12e21d4494e2401b35e |
| SHA1 | 699a962e3e44e615d3a791f31c9ca00fd68ea06c |
| SHA256 | 22a7a64f27b7f8e8a868e3b3aaf8cfbc85353038b0dc5b8fdf443b8076318c5c |
| SHA512 | 2741cf9742b4924e423057ed5472adb5627a15ea0b8f777e89ff1aa6da775cc316d3048d4d8d6614120e4ae1ff9dbd7ad092354eed55fa03b5c9f07d958b1245 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\background.html
| MD5 | 9b73c6cb816181dba8127cf2c6c7aa02 |
| SHA1 | be24c153b3e08d9d7f057ae14bedcfa5627462a7 |
| SHA256 | 35e8ab58dce6b958ba25bba5c2f08ebcd2449741a0156e836d5652d5a4d02f1a |
| SHA512 | 0459b2fca3789cd0f522a275592e57712ca540b9602e5dd591c0b94ade6e9bd85b14c0abc20f3905ff6d6742294f2e1aeb216bd2c8c69c74862da79167e20296 |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\content.js
| MD5 | 845a451109b51ea8a851c89884a41401 |
| SHA1 | 94268e5f0f405bcd1856073664cb015c6148680a |
| SHA256 | 5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7 |
| SHA512 | 524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d |
C:\Users\Admin\AppData\Local\Temp\7zS8A00.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\DownloadnSave\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |