Malware Analysis Report

2025-01-18 21:53

Sample ID 240622-e7s6waybmd
Target 01484845aff05251982fc87e9ba04bd4_JaffaCakes118
SHA256 5ec475cc4947b88da138b2a2c290795ee1d71b02669e49adbd0c406f19cbb800
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5ec475cc4947b88da138b2a2c290795ee1d71b02669e49adbd0c406f19cbb800

Threat Level: Shows suspicious behavior

The file 01484845aff05251982fc87e9ba04bd4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:35

Reported

2024-06-22 04:37

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\ = "TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix Class" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID\ = "bhoclass.bho.5.2" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.5.2" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} = "1" C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\settings.ini

MD5 7024f5c620e66aa0da5bfa903a61ae51
SHA1 34e3d4ba06f926501e5b824a22b24206b7281ce6
SHA256 7638df5b59b6d60a2038992a2adf698028bd9d62b4f03d111d0ad53d4bcddc7b
SHA512 6e699ec4d30a5c2152b27c276dee01284392c730ed539c87415ff6809b9e199a38c496847a349b755bd268b8f2794b165e5d750e8a4d3ba0cfb06e09ccec8d86

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\chrome.manifest

MD5 a6d0f2038ba00001b1a848e852f3cc4c
SHA1 c1c20d5aeaa0595c09aeff69df5baec548219d72
SHA256 26298aea5cb7ad31197a4445fcee2aeb07954db5e87cd192bd7b0942814d615f
SHA512 7b56fa9a5f57b6effaa91bc4c137ec80ccaabe0224ffbb612a3c9698596b0e09ded18b653e468f5b3934f52530b855f8095124ed5cd8aa51d800a26dda242438

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\install.rdf

MD5 bb2342adfbb51acb7ced264b8901c89e
SHA1 03d0ba77ad34563901fce80c71a2cdc44aeadd1a
SHA256 18d8c1da3a27e1baf5cf088de38d3503f58d376397f8912f890ec8b1016fc23e
SHA512 5b144797d19eeee06ee79e99aac5f36cee6cc2d641d8c9f697d6212e83b5b47a287d6711c85687e377128a6c4ca9bd56917e68fb045428b28b982b15264d4b5f

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\indexeddb.js

MD5 03a5989a11d77993a2d7ed49639230ba
SHA1 03e3ccd2fa1edc730e4d1d0b615cf458bf506675
SHA256 bb8bc417553a365006bfd2aae77644a46800c1cc5fd5edfda71fa57320b6030b
SHA512 62e4ec1a2a5d0c42d6688eaa5be76d299fe201bef8c54a3dd9732aabff189bc558a072dfc3bdd0648c4559842618935c06c7f4156251cfd1b2a0e37bd29acfa2

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\jsext.js

MD5 e6c38a808450fb920d606fe598de31b6
SHA1 f8d512b0b0355e88da6d2b75ad34fda9411e2e7b
SHA256 b72ad4435babf12e5f2ea0c4d5358f5b5650510317be60183a942fd9aa0c45fd
SHA512 2dc9ccf9f39cd1e8cf9fc2fd1f4e8b956fb8cda987fd066448f555e0a92fda4bc6f3afa301b82099bbc81e7031eb2a124543424e066c3dc08576fb28c84b1651

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\lsdb.js

MD5 68a4de2dd420dd94a817b0a3dc7a6384
SHA1 1bb454dac480f0bf1e5ba349aaefbb31d111fdcd
SHA256 f545c6dd23054255d831007a4c75b67f504c02f7b0acaf96231b58d03d2c79f6
SHA512 666e612792b48493f9f40e6e3bd6f3d09bf0a65b146b95f44418326a52edbd0ffad04f508ed325554568ae30762a0c36028056f2d25326749a3155257544e555

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\prfdb.js

MD5 3d39b4834a9847c04852bd2ba252493f
SHA1 5f4975fb860121634e9d806bdc14c564b68046a0
SHA256 cb13dbaceef6460249f7ee8c54f642ffbb0730c37094894ce81cdcfd3f113516
SHA512 9c0fdb3a6159523389cb4f3dbfab2cf6a28297f955aa444a877dbcde2aa57ff7241083273c909463db807c3891d7ea1c12e995d1d1081e37e0c31fdea3924465

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\sqlite.js

MD5 0a6a2153f9e9d3fe403b663c46f93831
SHA1 c4af97fae8df03b076fb08fe02a3ee465c171cfa
SHA256 c5a769cf5408bdcddc44ec40c2933f8ffff6f70c8261692f994adc8173ed8702
SHA512 8a9188e7e7708be27467b7259959cdce448d93408aa4de0e67e636d614acf57e2d842e35b547b8b4d72452927862ffde4a8ec41536cd7a341934f73d8d28344e

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\[email protected]\content\wx.xul

MD5 5090aed6ef4cdc1204eb98c093c8c2b0
SHA1 d0c19f5aed59a528e145327e39ca4e655cb66192
SHA256 486e4266f9b2c055121c525df41780d6e3871431b5b777f22237ad6dafd37bac
SHA512 b0fa90c2f1f24d6aa924fc39062158f76fa42522e06dc78b6e133d477872e92a99697e55a4ad827627592d155af278e31694185f52e84733b5eceea75ebbd3eb

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\jomacbdnmbmgmpekpadagomjbnffjifd.crx

MD5 0541a5ece5e1ca5682c93062d127792b
SHA1 3a52c653f223c2b9a43001ccacf763900548fd61
SHA256 a42f632d402e27f0ee5f12cb46c150a268e8fd780359ff220635198031a0da6f
SHA512 7c17b33f9e2ca3e8a1654462a002f8985498404f6297899482bc84b561aaed3b454a0137d69346fb5427a426a2ac0b1fea6af5c716fbb48da545c2c6cc1536a2

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\background.html

MD5 01110095338dc8307782423e3c708c1a
SHA1 0a7815f7d1608ddfd1b87bc7e18f364d12d39e50
SHA256 80cf1fea163b6989ca42dfaac7f0b35aca2bb81633d88edd913f66bd75de52ed
SHA512 7abec39d55cb699938eddf78efb700eb3c7fc0df74339b4542491f10345fa15a38346259d6f097b6c10ee416e348315c21926a5a66b4f7bf43c527417d91b4b1

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\content.js

MD5 27289c66bf310af3ef89d7c5315af97e
SHA1 f6cd0f1878cad0efbe917020489ba4d1e0c20e94
SHA256 59c162db874f059fca54d9b202a6e063e4459a5910e7f4768ec9834084fc983b
SHA512 b80f2a8dd8e5b981ce832fbbf696958784002426c50ba20618753e30daa1af3a28df650ae2a998c2e636c85289a3d38bbd3b2ad494210155deae3540a305c326

C:\Users\Admin\AppData\Local\Temp\7zS4F0A.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\TheBflix\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:35

Reported

2024-06-22 04:37

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\ = "TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.5.2" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ = "TheBflix Class" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{5218EF06-6B88-BA37-A503-83F2BA8678B9}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "TheBflix" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID\ = "bhoclass.bho.5.2" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5218EF06-6B88-BA37-A503-83F2BA8678B9} = "1" C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01484845aff05251982fc87e9ba04bd4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\settings.ini

MD5 7024f5c620e66aa0da5bfa903a61ae51
SHA1 34e3d4ba06f926501e5b824a22b24206b7281ce6
SHA256 7638df5b59b6d60a2038992a2adf698028bd9d62b4f03d111d0ad53d4bcddc7b
SHA512 6e699ec4d30a5c2152b27c276dee01284392c730ed539c87415ff6809b9e199a38c496847a349b755bd268b8f2794b165e5d750e8a4d3ba0cfb06e09ccec8d86

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\chrome.manifest

MD5 a6d0f2038ba00001b1a848e852f3cc4c
SHA1 c1c20d5aeaa0595c09aeff69df5baec548219d72
SHA256 26298aea5cb7ad31197a4445fcee2aeb07954db5e87cd192bd7b0942814d615f
SHA512 7b56fa9a5f57b6effaa91bc4c137ec80ccaabe0224ffbb612a3c9698596b0e09ded18b653e468f5b3934f52530b855f8095124ed5cd8aa51d800a26dda242438

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\install.rdf

MD5 bb2342adfbb51acb7ced264b8901c89e
SHA1 03d0ba77ad34563901fce80c71a2cdc44aeadd1a
SHA256 18d8c1da3a27e1baf5cf088de38d3503f58d376397f8912f890ec8b1016fc23e
SHA512 5b144797d19eeee06ee79e99aac5f36cee6cc2d641d8c9f697d6212e83b5b47a287d6711c85687e377128a6c4ca9bd56917e68fb045428b28b982b15264d4b5f

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\indexeddb.js

MD5 03a5989a11d77993a2d7ed49639230ba
SHA1 03e3ccd2fa1edc730e4d1d0b615cf458bf506675
SHA256 bb8bc417553a365006bfd2aae77644a46800c1cc5fd5edfda71fa57320b6030b
SHA512 62e4ec1a2a5d0c42d6688eaa5be76d299fe201bef8c54a3dd9732aabff189bc558a072dfc3bdd0648c4559842618935c06c7f4156251cfd1b2a0e37bd29acfa2

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\jsext.js

MD5 e6c38a808450fb920d606fe598de31b6
SHA1 f8d512b0b0355e88da6d2b75ad34fda9411e2e7b
SHA256 b72ad4435babf12e5f2ea0c4d5358f5b5650510317be60183a942fd9aa0c45fd
SHA512 2dc9ccf9f39cd1e8cf9fc2fd1f4e8b956fb8cda987fd066448f555e0a92fda4bc6f3afa301b82099bbc81e7031eb2a124543424e066c3dc08576fb28c84b1651

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\lsdb.js

MD5 68a4de2dd420dd94a817b0a3dc7a6384
SHA1 1bb454dac480f0bf1e5ba349aaefbb31d111fdcd
SHA256 f545c6dd23054255d831007a4c75b67f504c02f7b0acaf96231b58d03d2c79f6
SHA512 666e612792b48493f9f40e6e3bd6f3d09bf0a65b146b95f44418326a52edbd0ffad04f508ed325554568ae30762a0c36028056f2d25326749a3155257544e555

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\sqlite.js

MD5 0a6a2153f9e9d3fe403b663c46f93831
SHA1 c4af97fae8df03b076fb08fe02a3ee465c171cfa
SHA256 c5a769cf5408bdcddc44ec40c2933f8ffff6f70c8261692f994adc8173ed8702
SHA512 8a9188e7e7708be27467b7259959cdce448d93408aa4de0e67e636d614acf57e2d842e35b547b8b4d72452927862ffde4a8ec41536cd7a341934f73d8d28344e

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\prfdb.js

MD5 3d39b4834a9847c04852bd2ba252493f
SHA1 5f4975fb860121634e9d806bdc14c564b68046a0
SHA256 cb13dbaceef6460249f7ee8c54f642ffbb0730c37094894ce81cdcfd3f113516
SHA512 9c0fdb3a6159523389cb4f3dbfab2cf6a28297f955aa444a877dbcde2aa57ff7241083273c909463db807c3891d7ea1c12e995d1d1081e37e0c31fdea3924465

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\[email protected]\content\wx.xul

MD5 5090aed6ef4cdc1204eb98c093c8c2b0
SHA1 d0c19f5aed59a528e145327e39ca4e655cb66192
SHA256 486e4266f9b2c055121c525df41780d6e3871431b5b777f22237ad6dafd37bac
SHA512 b0fa90c2f1f24d6aa924fc39062158f76fa42522e06dc78b6e133d477872e92a99697e55a4ad827627592d155af278e31694185f52e84733b5eceea75ebbd3eb

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\jomacbdnmbmgmpekpadagomjbnffjifd.crx

MD5 0541a5ece5e1ca5682c93062d127792b
SHA1 3a52c653f223c2b9a43001ccacf763900548fd61
SHA256 a42f632d402e27f0ee5f12cb46c150a268e8fd780359ff220635198031a0da6f
SHA512 7c17b33f9e2ca3e8a1654462a002f8985498404f6297899482bc84b561aaed3b454a0137d69346fb5427a426a2ac0b1fea6af5c716fbb48da545c2c6cc1536a2

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\background.html

MD5 01110095338dc8307782423e3c708c1a
SHA1 0a7815f7d1608ddfd1b87bc7e18f364d12d39e50
SHA256 80cf1fea163b6989ca42dfaac7f0b35aca2bb81633d88edd913f66bd75de52ed
SHA512 7abec39d55cb699938eddf78efb700eb3c7fc0df74339b4542491f10345fa15a38346259d6f097b6c10ee416e348315c21926a5a66b4f7bf43c527417d91b4b1

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\content.js

MD5 27289c66bf310af3ef89d7c5315af97e
SHA1 f6cd0f1878cad0efbe917020489ba4d1e0c20e94
SHA256 59c162db874f059fca54d9b202a6e063e4459a5910e7f4768ec9834084fc983b
SHA512 b80f2a8dd8e5b981ce832fbbf696958784002426c50ba20618753e30daa1af3a28df650ae2a998c2e636c85289a3d38bbd3b2ad494210155deae3540a305c326

C:\Users\Admin\AppData\Local\Temp\7zS5BF5.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\TheBflix\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b