Analysis Overview
SHA256
5ec475cc4947b88da138b2a2c290795ee1d71b02669e49adbd0c406f19cbb800
Threat Level: Shows suspicious behavior
The file 01484845aff05251982fc87e9ba04bd4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:35
Reported
2024-06-22 04:37
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\ = "TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix Class" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID\ = "bhoclass.bho.5.2" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.5.2" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4032 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe |
| PID 4032 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe |
| PID 4032 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\settings.ini
| MD5 | 7024f5c620e66aa0da5bfa903a61ae51 |
| SHA1 | 34e3d4ba06f926501e5b824a22b24206b7281ce6 |
| SHA256 | 7638df5b59b6d60a2038992a2adf698028bd9d62b4f03d111d0ad53d4bcddc7b |
| SHA512 | 6e699ec4d30a5c2152b27c276dee01284392c730ed539c87415ff6809b9e199a38c496847a349b755bd268b8f2794b165e5d750e8a4d3ba0cfb06e09ccec8d86 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\chrome.manifest
| MD5 | a6d0f2038ba00001b1a848e852f3cc4c |
| SHA1 | c1c20d5aeaa0595c09aeff69df5baec548219d72 |
| SHA256 | 26298aea5cb7ad31197a4445fcee2aeb07954db5e87cd192bd7b0942814d615f |
| SHA512 | 7b56fa9a5f57b6effaa91bc4c137ec80ccaabe0224ffbb612a3c9698596b0e09ded18b653e468f5b3934f52530b855f8095124ed5cd8aa51d800a26dda242438 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\install.rdf
| MD5 | bb2342adfbb51acb7ced264b8901c89e |
| SHA1 | 03d0ba77ad34563901fce80c71a2cdc44aeadd1a |
| SHA256 | 18d8c1da3a27e1baf5cf088de38d3503f58d376397f8912f890ec8b1016fc23e |
| SHA512 | 5b144797d19eeee06ee79e99aac5f36cee6cc2d641d8c9f697d6212e83b5b47a287d6711c85687e377128a6c4ca9bd56917e68fb045428b28b982b15264d4b5f |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\indexeddb.js
| MD5 | 03a5989a11d77993a2d7ed49639230ba |
| SHA1 | 03e3ccd2fa1edc730e4d1d0b615cf458bf506675 |
| SHA256 | bb8bc417553a365006bfd2aae77644a46800c1cc5fd5edfda71fa57320b6030b |
| SHA512 | 62e4ec1a2a5d0c42d6688eaa5be76d299fe201bef8c54a3dd9732aabff189bc558a072dfc3bdd0648c4559842618935c06c7f4156251cfd1b2a0e37bd29acfa2 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\jsext.js
| MD5 | e6c38a808450fb920d606fe598de31b6 |
| SHA1 | f8d512b0b0355e88da6d2b75ad34fda9411e2e7b |
| SHA256 | b72ad4435babf12e5f2ea0c4d5358f5b5650510317be60183a942fd9aa0c45fd |
| SHA512 | 2dc9ccf9f39cd1e8cf9fc2fd1f4e8b956fb8cda987fd066448f555e0a92fda4bc6f3afa301b82099bbc81e7031eb2a124543424e066c3dc08576fb28c84b1651 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\lsdb.js
| MD5 | 68a4de2dd420dd94a817b0a3dc7a6384 |
| SHA1 | 1bb454dac480f0bf1e5ba349aaefbb31d111fdcd |
| SHA256 | f545c6dd23054255d831007a4c75b67f504c02f7b0acaf96231b58d03d2c79f6 |
| SHA512 | 666e612792b48493f9f40e6e3bd6f3d09bf0a65b146b95f44418326a52edbd0ffad04f508ed325554568ae30762a0c36028056f2d25326749a3155257544e555 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\prfdb.js
| MD5 | 3d39b4834a9847c04852bd2ba252493f |
| SHA1 | 5f4975fb860121634e9d806bdc14c564b68046a0 |
| SHA256 | cb13dbaceef6460249f7ee8c54f642ffbb0730c37094894ce81cdcfd3f113516 |
| SHA512 | 9c0fdb3a6159523389cb4f3dbfab2cf6a28297f955aa444a877dbcde2aa57ff7241083273c909463db807c3891d7ea1c12e995d1d1081e37e0c31fdea3924465 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\sqlite.js
| MD5 | 0a6a2153f9e9d3fe403b663c46f93831 |
| SHA1 | c4af97fae8df03b076fb08fe02a3ee465c171cfa |
| SHA256 | c5a769cf5408bdcddc44ec40c2933f8ffff6f70c8261692f994adc8173ed8702 |
| SHA512 | 8a9188e7e7708be27467b7259959cdce448d93408aa4de0e67e636d614acf57e2d842e35b547b8b4d72452927862ffde4a8ec41536cd7a341934f73d8d28344e |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\wx.xul
| MD5 | 5090aed6ef4cdc1204eb98c093c8c2b0 |
| SHA1 | d0c19f5aed59a528e145327e39ca4e655cb66192 |
| SHA256 | 486e4266f9b2c055121c525df41780d6e3871431b5b777f22237ad6dafd37bac |
| SHA512 | b0fa90c2f1f24d6aa924fc39062158f76fa42522e06dc78b6e133d477872e92a99697e55a4ad827627592d155af278e31694185f52e84733b5eceea75ebbd3eb |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\jomacbdnmbmgmpekpadagomjbnffjifd.crx
| MD5 | 0541a5ece5e1ca5682c93062d127792b |
| SHA1 | 3a52c653f223c2b9a43001ccacf763900548fd61 |
| SHA256 | a42f632d402e27f0ee5f12cb46c150a268e8fd780359ff220635198031a0da6f |
| SHA512 | 7c17b33f9e2ca3e8a1654462a002f8985498404f6297899482bc84b561aaed3b454a0137d69346fb5427a426a2ac0b1fea6af5c716fbb48da545c2c6cc1536a2 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\background.html
| MD5 | 01110095338dc8307782423e3c708c1a |
| SHA1 | 0a7815f7d1608ddfd1b87bc7e18f364d12d39e50 |
| SHA256 | 80cf1fea163b6989ca42dfaac7f0b35aca2bb81633d88edd913f66bd75de52ed |
| SHA512 | 7abec39d55cb699938eddf78efb700eb3c7fc0df74339b4542491f10345fa15a38346259d6f097b6c10ee416e348315c21926a5a66b4f7bf43c527417d91b4b1 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\content.js
| MD5 | 27289c66bf310af3ef89d7c5315af97e |
| SHA1 | f6cd0f1878cad0efbe917020489ba4d1e0c20e94 |
| SHA256 | 59c162db874f059fca54d9b202a6e063e4459a5910e7f4768ec9834084fc983b |
| SHA512 | b80f2a8dd8e5b981ce832fbbf696958784002426c50ba20618753e30daa1af3a28df650ae2a998c2e636c85289a3d38bbd3b2ad494210155deae3540a305c326 |
C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\TheBflix\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:35
Reported
2024-06-22 04:37
Platform
win7-20240611-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\ = "TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.5.2" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix Class" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "TheBflix" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID\ = "bhoclass.bho.5.2" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\settings.ini
| MD5 | 7024f5c620e66aa0da5bfa903a61ae51 |
| SHA1 | 34e3d4ba06f926501e5b824a22b24206b7281ce6 |
| SHA256 | 7638df5b59b6d60a2038992a2adf698028bd9d62b4f03d111d0ad53d4bcddc7b |
| SHA512 | 6e699ec4d30a5c2152b27c276dee01284392c730ed539c87415ff6809b9e199a38c496847a349b755bd268b8f2794b165e5d750e8a4d3ba0cfb06e09ccec8d86 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\chrome.manifest
| MD5 | a6d0f2038ba00001b1a848e852f3cc4c |
| SHA1 | c1c20d5aeaa0595c09aeff69df5baec548219d72 |
| SHA256 | 26298aea5cb7ad31197a4445fcee2aeb07954db5e87cd192bd7b0942814d615f |
| SHA512 | 7b56fa9a5f57b6effaa91bc4c137ec80ccaabe0224ffbb612a3c9698596b0e09ded18b653e468f5b3934f52530b855f8095124ed5cd8aa51d800a26dda242438 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\install.rdf
| MD5 | bb2342adfbb51acb7ced264b8901c89e |
| SHA1 | 03d0ba77ad34563901fce80c71a2cdc44aeadd1a |
| SHA256 | 18d8c1da3a27e1baf5cf088de38d3503f58d376397f8912f890ec8b1016fc23e |
| SHA512 | 5b144797d19eeee06ee79e99aac5f36cee6cc2d641d8c9f697d6212e83b5b47a287d6711c85687e377128a6c4ca9bd56917e68fb045428b28b982b15264d4b5f |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\indexeddb.js
| MD5 | 03a5989a11d77993a2d7ed49639230ba |
| SHA1 | 03e3ccd2fa1edc730e4d1d0b615cf458bf506675 |
| SHA256 | bb8bc417553a365006bfd2aae77644a46800c1cc5fd5edfda71fa57320b6030b |
| SHA512 | 62e4ec1a2a5d0c42d6688eaa5be76d299fe201bef8c54a3dd9732aabff189bc558a072dfc3bdd0648c4559842618935c06c7f4156251cfd1b2a0e37bd29acfa2 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\jsext.js
| MD5 | e6c38a808450fb920d606fe598de31b6 |
| SHA1 | f8d512b0b0355e88da6d2b75ad34fda9411e2e7b |
| SHA256 | b72ad4435babf12e5f2ea0c4d5358f5b5650510317be60183a942fd9aa0c45fd |
| SHA512 | 2dc9ccf9f39cd1e8cf9fc2fd1f4e8b956fb8cda987fd066448f555e0a92fda4bc6f3afa301b82099bbc81e7031eb2a124543424e066c3dc08576fb28c84b1651 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\lsdb.js
| MD5 | 68a4de2dd420dd94a817b0a3dc7a6384 |
| SHA1 | 1bb454dac480f0bf1e5ba349aaefbb31d111fdcd |
| SHA256 | f545c6dd23054255d831007a4c75b67f504c02f7b0acaf96231b58d03d2c79f6 |
| SHA512 | 666e612792b48493f9f40e6e3bd6f3d09bf0a65b146b95f44418326a52edbd0ffad04f508ed325554568ae30762a0c36028056f2d25326749a3155257544e555 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\sqlite.js
| MD5 | 0a6a2153f9e9d3fe403b663c46f93831 |
| SHA1 | c4af97fae8df03b076fb08fe02a3ee465c171cfa |
| SHA256 | c5a769cf5408bdcddc44ec40c2933f8ffff6f70c8261692f994adc8173ed8702 |
| SHA512 | 8a9188e7e7708be27467b7259959cdce448d93408aa4de0e67e636d614acf57e2d842e35b547b8b4d72452927862ffde4a8ec41536cd7a341934f73d8d28344e |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\prfdb.js
| MD5 | 3d39b4834a9847c04852bd2ba252493f |
| SHA1 | 5f4975fb860121634e9d806bdc14c564b68046a0 |
| SHA256 | cb13dbaceef6460249f7ee8c54f642ffbb0730c37094894ce81cdcfd3f113516 |
| SHA512 | 9c0fdb3a6159523389cb4f3dbfab2cf6a28297f955aa444a877dbcde2aa57ff7241083273c909463db807c3891d7ea1c12e995d1d1081e37e0c31fdea3924465 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\wx.xul
| MD5 | 5090aed6ef4cdc1204eb98c093c8c2b0 |
| SHA1 | d0c19f5aed59a528e145327e39ca4e655cb66192 |
| SHA256 | 486e4266f9b2c055121c525df41780d6e3871431b5b777f22237ad6dafd37bac |
| SHA512 | b0fa90c2f1f24d6aa924fc39062158f76fa42522e06dc78b6e133d477872e92a99697e55a4ad827627592d155af278e31694185f52e84733b5eceea75ebbd3eb |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\jomacbdnmbmgmpekpadagomjbnffjifd.crx
| MD5 | 0541a5ece5e1ca5682c93062d127792b |
| SHA1 | 3a52c653f223c2b9a43001ccacf763900548fd61 |
| SHA256 | a42f632d402e27f0ee5f12cb46c150a268e8fd780359ff220635198031a0da6f |
| SHA512 | 7c17b33f9e2ca3e8a1654462a002f8985498404f6297899482bc84b561aaed3b454a0137d69346fb5427a426a2ac0b1fea6af5c716fbb48da545c2c6cc1536a2 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\background.html
| MD5 | 01110095338dc8307782423e3c708c1a |
| SHA1 | 0a7815f7d1608ddfd1b87bc7e18f364d12d39e50 |
| SHA256 | 80cf1fea163b6989ca42dfaac7f0b35aca2bb81633d88edd913f66bd75de52ed |
| SHA512 | 7abec39d55cb699938eddf78efb700eb3c7fc0df74339b4542491f10345fa15a38346259d6f097b6c10ee416e348315c21926a5a66b4f7bf43c527417d91b4b1 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\content.js
| MD5 | 27289c66bf310af3ef89d7c5315af97e |
| SHA1 | f6cd0f1878cad0efbe917020489ba4d1e0c20e94 |
| SHA256 | 59c162db874f059fca54d9b202a6e063e4459a5910e7f4768ec9834084fc983b |
| SHA512 | b80f2a8dd8e5b981ce832fbbf696958784002426c50ba20618753e30daa1af3a28df650ae2a998c2e636c85289a3d38bbd3b2ad494210155deae3540a305c326 |
C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\TheBflix\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |