Malware Analysis Report

2025-01-18 21:53

Sample ID 240622-e2tkfsxhke
Target 01404f3479d1aa3942867545e363bbe2_JaffaCakes118
SHA256 a36bb2c545ac72e468912266daf871e337113b7c54c3cb5c448319ffcbb3b28f
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a36bb2c545ac72e468912266daf871e337113b7c54c3cb5c448319ffcbb3b28f

Threat Level: Shows suspicious behavior

The file 01404f3479d1aa3942867545e363bbe2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:26

Reported

2024-06-22 04:29

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID\ = "bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} = "1" C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe

.\setup.exe /s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe

MD5 4ccf1a317aa8539c857835e4ebe9c806
SHA1 223b73d09d7398f40aff3ccc569e66cae3886ee9
SHA256 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242
SHA512 ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

C:\Users\Admin\AppData\Local\Temp\nsuEA13.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\settings.ini

MD5 c2ec9879acb168ab1fcb323952c60e76
SHA1 de380ae5003b374e10c68f69571690a80c26d4ee
SHA256 4b0400ef36e1f501ceb2b61032ba964a31693392f53946b02b8ff94f4d9b5717
SHA512 bf2a841dd653d8be1a008d6b45d6f3ae99f739802e9e83ef84a742b4e16c87521f85c6129b6a8af21264c4f6893f8f5f90b38bb514b8a33de8c4299826f99614

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\bootstrap.js

MD5 a352089db2d441f2a12d5f231628c4a7
SHA1 41ddee0af5726ffe998d86ae7618522ed18d2d31
SHA256 adfffffe16ac2c0132a68f8ff450255ed66784fcac0d0ce71720d121beaec2d4
SHA512 0886b401a2ad30e63ad8282788bd12e6464e767227ad99cabe2dc1a5373271801796aee4688ec3004f754700ec1d111cb4a5c42cd28145dcc66a85fd84078780

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\chrome.manifest

MD5 982572ac3bebc7104939edc53ba868cc
SHA1 7f14080714b5a6059dbed670d58df62e9ebca888
SHA256 35bac3d290c1e26343f0aff83e09096b45b8f0281b6d54582c3270d58c6ffdb7
SHA512 cba7c93fc47bb77caafbe02eb47a07b9e9217b5ac2dcc883a95a64867f65009e3106aca577a861b2157c1abf80045efda96dedc6ba5de92930c3ce486efb5751

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\install.rdf

MD5 f603efd0071f6e36f579ae3755f253f3
SHA1 8b66a412f5ecd3c25028b9bbb8256230ef925c71
SHA256 ceb068ab92baae420c8ab0191ae6bd351b961e2026283dff57a0489d1458bbfb
SHA512 13a74945a9b5fed2ed2411a9276abcafd2b70eff2daa79aa8375177c628d4ff9d99c7e5051d3d0f632b6b18edabf4f86d98c992c004c31b1debae469717af3d4

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\content\bg.js

MD5 3ad98fab34789bd5d0d5afa15e509498
SHA1 a4464065bef3c693b4b6c5cf2419f3a9d1be3d45
SHA256 bc5b7ba34e99a8e99e46b7867faa3eb47e313cda9829fc665ae05a211c23591b
SHA512 a5b1260bcaf581319389387609ce974c3ca1b7c9d751efeb942ceb1d243824f9077f672d545854acc36d6f7c4356ae4a6c03ddf3a7a8623d0e01337510fd2023

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\content\zy.xul

MD5 93e237ac0c65e9de5691fca1d32857ed
SHA1 fc979e01026887ced3d9cf044785f3d4aed97e3c
SHA256 77b1f602c8968bcbf0e992a4b9263dc46b57455f2c366fcf50cd2f6ff1a6fc48
SHA512 a6e1af836b98fe7bd032ec3798bd03903f8cc0470feb892468347b59bcc5e86df6ed86a77963aa6070c62ca9c0c383246830c25018de24fb4b86864bd266fe30

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\joncifiphefkmplpjoggokjdbbggkhgp.crx

MD5 aab0fe3ea3611ca3bcd9633dcd346019
SHA1 efd5a8c83665dfad9dac41cf0e836850a612f349
SHA256 631553de183640a3e00d353aa819c339a3b36d54015c51da7f1b4e2bfd1c34ed
SHA512 390acd573e819da406075600a8c0a9ae08c46fc0c44b0380928ce9cf8858c16e14ccb008b47140c2541b5f776e2c848c15ca526f6da27b7ca06fc327725aa446

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\background.html

MD5 acc89d28ced7c2731996f4496839490c
SHA1 3ff1016ca90af354c1205f9ea7527cc71c765379
SHA256 f4c09c8d2ad540b9f9c7447cf4ebb87bec49d2f33f847b812af83d7be1f2d84e
SHA512 7a2906e9a1dc789c79560c02d7d42d5e8d1cb958c079d10f2243bb1dec3c11cb6c2013226777a625cf4684e57f9712c8d82dad7dd3d49a1e55246076d8307ce2

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\content.js

MD5 621c2c7764ba0a40377812bcb7399ad4
SHA1 7a22701eb31d58434b5eca19b14e837dcd6d58eb
SHA256 f6975c10f8566cad2e8a2785ba4fd4ea374079f3042208f831752c4bfbb2e8c7
SHA512 2b6b0e1b2a4cbdc46a5be89d8902236a7046e1fe1966fd31c711273cceb9c1c3c41a1c0dc7ef2a3d537bb39432904b38c546a0642bca991919fac4c7f190e08e

C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\bhoclass.dll

MD5 474a025909c75c607905b9e2cae8a56f
SHA1 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e
SHA256 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f
SHA512 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

C:\ProgramData\Bcool\uninstall.exe

MD5 a724dac649142fef71fe4b529684e969
SHA1 e2878e84886ec53a1332ad969a825062526b5cd4
SHA256 b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc
SHA512 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:26

Reported

2024-06-22 04:29

Platform

win7-20240611-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID\ = "bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} = "1" C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe

MD5 4ccf1a317aa8539c857835e4ebe9c806
SHA1 223b73d09d7398f40aff3ccc569e66cae3886ee9
SHA256 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242
SHA512 ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\settings.ini

MD5 c2ec9879acb168ab1fcb323952c60e76
SHA1 de380ae5003b374e10c68f69571690a80c26d4ee
SHA256 4b0400ef36e1f501ceb2b61032ba964a31693392f53946b02b8ff94f4d9b5717
SHA512 bf2a841dd653d8be1a008d6b45d6f3ae99f739802e9e83ef84a742b4e16c87521f85c6129b6a8af21264c4f6893f8f5f90b38bb514b8a33de8c4299826f99614

\Users\Admin\AppData\Local\Temp\nsoD99.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\bootstrap.js

MD5 a352089db2d441f2a12d5f231628c4a7
SHA1 41ddee0af5726ffe998d86ae7618522ed18d2d31
SHA256 adfffffe16ac2c0132a68f8ff450255ed66784fcac0d0ce71720d121beaec2d4
SHA512 0886b401a2ad30e63ad8282788bd12e6464e767227ad99cabe2dc1a5373271801796aee4688ec3004f754700ec1d111cb4a5c42cd28145dcc66a85fd84078780

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\chrome.manifest

MD5 982572ac3bebc7104939edc53ba868cc
SHA1 7f14080714b5a6059dbed670d58df62e9ebca888
SHA256 35bac3d290c1e26343f0aff83e09096b45b8f0281b6d54582c3270d58c6ffdb7
SHA512 cba7c93fc47bb77caafbe02eb47a07b9e9217b5ac2dcc883a95a64867f65009e3106aca577a861b2157c1abf80045efda96dedc6ba5de92930c3ce486efb5751

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\install.rdf

MD5 f603efd0071f6e36f579ae3755f253f3
SHA1 8b66a412f5ecd3c25028b9bbb8256230ef925c71
SHA256 ceb068ab92baae420c8ab0191ae6bd351b961e2026283dff57a0489d1458bbfb
SHA512 13a74945a9b5fed2ed2411a9276abcafd2b70eff2daa79aa8375177c628d4ff9d99c7e5051d3d0f632b6b18edabf4f86d98c992c004c31b1debae469717af3d4

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\content\bg.js

MD5 3ad98fab34789bd5d0d5afa15e509498
SHA1 a4464065bef3c693b4b6c5cf2419f3a9d1be3d45
SHA256 bc5b7ba34e99a8e99e46b7867faa3eb47e313cda9829fc665ae05a211c23591b
SHA512 a5b1260bcaf581319389387609ce974c3ca1b7c9d751efeb942ceb1d243824f9077f672d545854acc36d6f7c4356ae4a6c03ddf3a7a8623d0e01337510fd2023

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\content\zy.xul

MD5 93e237ac0c65e9de5691fca1d32857ed
SHA1 fc979e01026887ced3d9cf044785f3d4aed97e3c
SHA256 77b1f602c8968bcbf0e992a4b9263dc46b57455f2c366fcf50cd2f6ff1a6fc48
SHA512 a6e1af836b98fe7bd032ec3798bd03903f8cc0470feb892468347b59bcc5e86df6ed86a77963aa6070c62ca9c0c383246830c25018de24fb4b86864bd266fe30

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\joncifiphefkmplpjoggokjdbbggkhgp.crx

MD5 aab0fe3ea3611ca3bcd9633dcd346019
SHA1 efd5a8c83665dfad9dac41cf0e836850a612f349
SHA256 631553de183640a3e00d353aa819c339a3b36d54015c51da7f1b4e2bfd1c34ed
SHA512 390acd573e819da406075600a8c0a9ae08c46fc0c44b0380928ce9cf8858c16e14ccb008b47140c2541b5f776e2c848c15ca526f6da27b7ca06fc327725aa446

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\content.js

MD5 621c2c7764ba0a40377812bcb7399ad4
SHA1 7a22701eb31d58434b5eca19b14e837dcd6d58eb
SHA256 f6975c10f8566cad2e8a2785ba4fd4ea374079f3042208f831752c4bfbb2e8c7
SHA512 2b6b0e1b2a4cbdc46a5be89d8902236a7046e1fe1966fd31c711273cceb9c1c3c41a1c0dc7ef2a3d537bb39432904b38c546a0642bca991919fac4c7f190e08e

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\background.html

MD5 acc89d28ced7c2731996f4496839490c
SHA1 3ff1016ca90af354c1205f9ea7527cc71c765379
SHA256 f4c09c8d2ad540b9f9c7447cf4ebb87bec49d2f33f847b812af83d7be1f2d84e
SHA512 7a2906e9a1dc789c79560c02d7d42d5e8d1cb958c079d10f2243bb1dec3c11cb6c2013226777a625cf4684e57f9712c8d82dad7dd3d49a1e55246076d8307ce2

C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\bhoclass.dll

MD5 474a025909c75c607905b9e2cae8a56f
SHA1 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e
SHA256 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f
SHA512 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

C:\ProgramData\Bcool\uninstall.exe

MD5 a724dac649142fef71fe4b529684e969
SHA1 e2878e84886ec53a1332ad969a825062526b5cd4
SHA256 b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc
SHA512 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3