Analysis Overview
SHA256
a36bb2c545ac72e468912266daf871e337113b7c54c3cb5c448319ffcbb3b28f
Threat Level: Shows suspicious behavior
The file 01404f3479d1aa3942867545e363bbe2_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:26
Reported
2024-06-22 04:29
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID\ = "bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe |
| PID 3108 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe |
| PID 3108 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe
.\setup.exe /s
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\setup.exe
| MD5 | 4ccf1a317aa8539c857835e4ebe9c806 |
| SHA1 | 223b73d09d7398f40aff3ccc569e66cae3886ee9 |
| SHA256 | 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242 |
| SHA512 | ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312 |
C:\Users\Admin\AppData\Local\Temp\nsuEA13.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\settings.ini
| MD5 | c2ec9879acb168ab1fcb323952c60e76 |
| SHA1 | de380ae5003b374e10c68f69571690a80c26d4ee |
| SHA256 | 4b0400ef36e1f501ceb2b61032ba964a31693392f53946b02b8ff94f4d9b5717 |
| SHA512 | bf2a841dd653d8be1a008d6b45d6f3ae99f739802e9e83ef84a742b4e16c87521f85c6129b6a8af21264c4f6893f8f5f90b38bb514b8a33de8c4299826f99614 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\bootstrap.js
| MD5 | a352089db2d441f2a12d5f231628c4a7 |
| SHA1 | 41ddee0af5726ffe998d86ae7618522ed18d2d31 |
| SHA256 | adfffffe16ac2c0132a68f8ff450255ed66784fcac0d0ce71720d121beaec2d4 |
| SHA512 | 0886b401a2ad30e63ad8282788bd12e6464e767227ad99cabe2dc1a5373271801796aee4688ec3004f754700ec1d111cb4a5c42cd28145dcc66a85fd84078780 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\chrome.manifest
| MD5 | 982572ac3bebc7104939edc53ba868cc |
| SHA1 | 7f14080714b5a6059dbed670d58df62e9ebca888 |
| SHA256 | 35bac3d290c1e26343f0aff83e09096b45b8f0281b6d54582c3270d58c6ffdb7 |
| SHA512 | cba7c93fc47bb77caafbe02eb47a07b9e9217b5ac2dcc883a95a64867f65009e3106aca577a861b2157c1abf80045efda96dedc6ba5de92930c3ce486efb5751 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\install.rdf
| MD5 | f603efd0071f6e36f579ae3755f253f3 |
| SHA1 | 8b66a412f5ecd3c25028b9bbb8256230ef925c71 |
| SHA256 | ceb068ab92baae420c8ab0191ae6bd351b961e2026283dff57a0489d1458bbfb |
| SHA512 | 13a74945a9b5fed2ed2411a9276abcafd2b70eff2daa79aa8375177c628d4ff9d99c7e5051d3d0f632b6b18edabf4f86d98c992c004c31b1debae469717af3d4 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\content\bg.js
| MD5 | 3ad98fab34789bd5d0d5afa15e509498 |
| SHA1 | a4464065bef3c693b4b6c5cf2419f3a9d1be3d45 |
| SHA256 | bc5b7ba34e99a8e99e46b7867faa3eb47e313cda9829fc665ae05a211c23591b |
| SHA512 | a5b1260bcaf581319389387609ce974c3ca1b7c9d751efeb942ceb1d243824f9077f672d545854acc36d6f7c4356ae4a6c03ddf3a7a8623d0e01337510fd2023 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\[email protected]\content\zy.xul
| MD5 | 93e237ac0c65e9de5691fca1d32857ed |
| SHA1 | fc979e01026887ced3d9cf044785f3d4aed97e3c |
| SHA256 | 77b1f602c8968bcbf0e992a4b9263dc46b57455f2c366fcf50cd2f6ff1a6fc48 |
| SHA512 | a6e1af836b98fe7bd032ec3798bd03903f8cc0470feb892468347b59bcc5e86df6ed86a77963aa6070c62ca9c0c383246830c25018de24fb4b86864bd266fe30 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\joncifiphefkmplpjoggokjdbbggkhgp.crx
| MD5 | aab0fe3ea3611ca3bcd9633dcd346019 |
| SHA1 | efd5a8c83665dfad9dac41cf0e836850a612f349 |
| SHA256 | 631553de183640a3e00d353aa819c339a3b36d54015c51da7f1b4e2bfd1c34ed |
| SHA512 | 390acd573e819da406075600a8c0a9ae08c46fc0c44b0380928ce9cf8858c16e14ccb008b47140c2541b5f776e2c848c15ca526f6da27b7ca06fc327725aa446 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\background.html
| MD5 | acc89d28ced7c2731996f4496839490c |
| SHA1 | 3ff1016ca90af354c1205f9ea7527cc71c765379 |
| SHA256 | f4c09c8d2ad540b9f9c7447cf4ebb87bec49d2f33f847b812af83d7be1f2d84e |
| SHA512 | 7a2906e9a1dc789c79560c02d7d42d5e8d1cb958c079d10f2243bb1dec3c11cb6c2013226777a625cf4684e57f9712c8d82dad7dd3d49a1e55246076d8307ce2 |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\content.js
| MD5 | 621c2c7764ba0a40377812bcb7399ad4 |
| SHA1 | 7a22701eb31d58434b5eca19b14e837dcd6d58eb |
| SHA256 | f6975c10f8566cad2e8a2785ba4fd4ea374079f3042208f831752c4bfbb2e8c7 |
| SHA512 | 2b6b0e1b2a4cbdc46a5be89d8902236a7046e1fe1966fd31c711273cceb9c1c3c41a1c0dc7ef2a3d537bb39432904b38c546a0642bca991919fac4c7f190e08e |
C:\Users\Admin\AppData\Local\Temp\7zSE966.tmp\bhoclass.dll
| MD5 | 474a025909c75c607905b9e2cae8a56f |
| SHA1 | 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e |
| SHA256 | 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f |
| SHA512 | 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | a724dac649142fef71fe4b529684e969 |
| SHA1 | e2878e84886ec53a1332ad969a825062526b5cd4 |
| SHA256 | b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc |
| SHA512 | 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:26
Reported
2024-06-22 04:29
Platform
win7-20240611-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\VersionIndependentProgID\ = "bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9957E1AC-9ED1-30C1-AF0D-31539B845B9B} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01404f3479d1aa3942867545e363bbe2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\setup.exe
| MD5 | 4ccf1a317aa8539c857835e4ebe9c806 |
| SHA1 | 223b73d09d7398f40aff3ccc569e66cae3886ee9 |
| SHA256 | 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242 |
| SHA512 | ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\settings.ini
| MD5 | c2ec9879acb168ab1fcb323952c60e76 |
| SHA1 | de380ae5003b374e10c68f69571690a80c26d4ee |
| SHA256 | 4b0400ef36e1f501ceb2b61032ba964a31693392f53946b02b8ff94f4d9b5717 |
| SHA512 | bf2a841dd653d8be1a008d6b45d6f3ae99f739802e9e83ef84a742b4e16c87521f85c6129b6a8af21264c4f6893f8f5f90b38bb514b8a33de8c4299826f99614 |
\Users\Admin\AppData\Local\Temp\nsoD99.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\bootstrap.js
| MD5 | a352089db2d441f2a12d5f231628c4a7 |
| SHA1 | 41ddee0af5726ffe998d86ae7618522ed18d2d31 |
| SHA256 | adfffffe16ac2c0132a68f8ff450255ed66784fcac0d0ce71720d121beaec2d4 |
| SHA512 | 0886b401a2ad30e63ad8282788bd12e6464e767227ad99cabe2dc1a5373271801796aee4688ec3004f754700ec1d111cb4a5c42cd28145dcc66a85fd84078780 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\chrome.manifest
| MD5 | 982572ac3bebc7104939edc53ba868cc |
| SHA1 | 7f14080714b5a6059dbed670d58df62e9ebca888 |
| SHA256 | 35bac3d290c1e26343f0aff83e09096b45b8f0281b6d54582c3270d58c6ffdb7 |
| SHA512 | cba7c93fc47bb77caafbe02eb47a07b9e9217b5ac2dcc883a95a64867f65009e3106aca577a861b2157c1abf80045efda96dedc6ba5de92930c3ce486efb5751 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\install.rdf
| MD5 | f603efd0071f6e36f579ae3755f253f3 |
| SHA1 | 8b66a412f5ecd3c25028b9bbb8256230ef925c71 |
| SHA256 | ceb068ab92baae420c8ab0191ae6bd351b961e2026283dff57a0489d1458bbfb |
| SHA512 | 13a74945a9b5fed2ed2411a9276abcafd2b70eff2daa79aa8375177c628d4ff9d99c7e5051d3d0f632b6b18edabf4f86d98c992c004c31b1debae469717af3d4 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\content\bg.js
| MD5 | 3ad98fab34789bd5d0d5afa15e509498 |
| SHA1 | a4464065bef3c693b4b6c5cf2419f3a9d1be3d45 |
| SHA256 | bc5b7ba34e99a8e99e46b7867faa3eb47e313cda9829fc665ae05a211c23591b |
| SHA512 | a5b1260bcaf581319389387609ce974c3ca1b7c9d751efeb942ceb1d243824f9077f672d545854acc36d6f7c4356ae4a6c03ddf3a7a8623d0e01337510fd2023 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\[email protected]\content\zy.xul
| MD5 | 93e237ac0c65e9de5691fca1d32857ed |
| SHA1 | fc979e01026887ced3d9cf044785f3d4aed97e3c |
| SHA256 | 77b1f602c8968bcbf0e992a4b9263dc46b57455f2c366fcf50cd2f6ff1a6fc48 |
| SHA512 | a6e1af836b98fe7bd032ec3798bd03903f8cc0470feb892468347b59bcc5e86df6ed86a77963aa6070c62ca9c0c383246830c25018de24fb4b86864bd266fe30 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\joncifiphefkmplpjoggokjdbbggkhgp.crx
| MD5 | aab0fe3ea3611ca3bcd9633dcd346019 |
| SHA1 | efd5a8c83665dfad9dac41cf0e836850a612f349 |
| SHA256 | 631553de183640a3e00d353aa819c339a3b36d54015c51da7f1b4e2bfd1c34ed |
| SHA512 | 390acd573e819da406075600a8c0a9ae08c46fc0c44b0380928ce9cf8858c16e14ccb008b47140c2541b5f776e2c848c15ca526f6da27b7ca06fc327725aa446 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\content.js
| MD5 | 621c2c7764ba0a40377812bcb7399ad4 |
| SHA1 | 7a22701eb31d58434b5eca19b14e837dcd6d58eb |
| SHA256 | f6975c10f8566cad2e8a2785ba4fd4ea374079f3042208f831752c4bfbb2e8c7 |
| SHA512 | 2b6b0e1b2a4cbdc46a5be89d8902236a7046e1fe1966fd31c711273cceb9c1c3c41a1c0dc7ef2a3d537bb39432904b38c546a0642bca991919fac4c7f190e08e |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\background.html
| MD5 | acc89d28ced7c2731996f4496839490c |
| SHA1 | 3ff1016ca90af354c1205f9ea7527cc71c765379 |
| SHA256 | f4c09c8d2ad540b9f9c7447cf4ebb87bec49d2f33f847b812af83d7be1f2d84e |
| SHA512 | 7a2906e9a1dc789c79560c02d7d42d5e8d1cb958c079d10f2243bb1dec3c11cb6c2013226777a625cf4684e57f9712c8d82dad7dd3d49a1e55246076d8307ce2 |
C:\Users\Admin\AppData\Local\Temp\7zSD1B.tmp\bhoclass.dll
| MD5 | 474a025909c75c607905b9e2cae8a56f |
| SHA1 | 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e |
| SHA256 | 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f |
| SHA512 | 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | a724dac649142fef71fe4b529684e969 |
| SHA1 | e2878e84886ec53a1332ad969a825062526b5cd4 |
| SHA256 | b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc |
| SHA512 | 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3 |