Analysis Overview
SHA256
fe54f319f3f1bbddd346add7112ec5fce34c50adf86bf8f24135b7af30847553
Threat Level: Shows suspicious behavior
The file 01255248cf04b0d2f08c8004910fbe79_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
System policy modification
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 03:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 03:53
Reported
2024-06-22 03:55
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\settings.ini
| MD5 | cb3f9431d8b7326aff595fddc096315f |
| SHA1 | fccfeeb004a78ca2755f679e517bbfdc448213d1 |
| SHA256 | 26e4daafc10af61a5142feb5f4f0bad4cdd625457cc39eb3629d0ef783296f32 |
| SHA512 | 5077339cbac7022cbfe625579b2ba37496ae646e454d08aba87ceb3e8433b34728586c1c0a47cab0e8e7ca8ceeb40800211422e03c32af831c9368b3c86dfad0 |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\chrome.manifest
| MD5 | 23937200504744a48203c769727d436a |
| SHA1 | 6a971e804274299971b3cc19ffd11faea9455787 |
| SHA256 | 44472176b02fa1194e5be2528ac1f8a5e2ef4b6f3529375ba51382f5fb36af29 |
| SHA512 | 912a695f3f2838d14c8af9d992ae95146661303146628a9becd9ec2586c4e01b7454fa3cad26bacf0b7372c7e9b30a4498dbf16ddd32f7dab74d45e09fa488ad |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\install.rdf
| MD5 | 5f00745a7f170c5da8b523a87d287d99 |
| SHA1 | 66da8b4f88114a6d5850983e36b442630c406d0b |
| SHA256 | 0078e0202a8752828bb9f60fc75478d245efdaa70ed03a162e45b407caf13c94 |
| SHA512 | f5caa50c2846651bdcbcb0abb580bc60a3077021bdbc5f76374c580a2710670aaea9a4c07765d63f64363b3578829f47663939f905131709afcc5c041351b04d |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\indexeddb.js
| MD5 | 2e712400d103fc6987b654ee15cae5dc |
| SHA1 | f8db11a3bbf8bfe26c9481e21896ff2e15c01abb |
| SHA256 | 90f556b411ce4487853ce28a86e6e6c560e7249844c175882dbed86c52241222 |
| SHA512 | 6948ed6c4a290df84a9990669e97b8a923e9b0f05915ffa28de3271eee24ed74ff09adfb93c33742df5f147b33a36ae3a625034a70349c961e2ef5ce23e3735b |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\lsdb.js
| MD5 | 3c354274baedd36745463d2782eeb9cb |
| SHA1 | cffd992f21455895bb4268429083fbc6460db990 |
| SHA256 | 3f0f69db7d081ea6ff0fdf3e1b2ed1106e4298da1112e297f7502fd362953099 |
| SHA512 | 0f580ddd7121cd486ce088fc5930ca4caa04273bb0c67e2e5aa6d06b546bf1799bb7961d0ee89a6dc18215f2e6a64f92703ff700e1f8402bdf049193e0803e1c |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\jsext.js
| MD5 | f7e0876351b1622ca4695d845fbfede2 |
| SHA1 | 0ad75a153985d7c6e638dd444065de853df2f278 |
| SHA256 | fd0ffe28699074369165611e46ed3dc4ddb3d573666e9ee51a143d6162b66eb4 |
| SHA512 | c57f5c52cf024f7d731f7befc467aa5312fb8787c6a183773cfa60957d665c134bec2e98dfcb9a83af7f71179fb0824672133759ac4186621caf275f305d011b |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\sqlite.js
| MD5 | 1994469223b1ecf923e65c031c1debd6 |
| SHA1 | c5be94e49a274a9acc011aec100ec68380037559 |
| SHA256 | 26c0ba17bab190349f51a98e7102e1cd4f21cfc9e42a82d6c964356422f1cfdc |
| SHA512 | 656cf623fdf5291999b2b8cb136bb1178fb79ccfcf534ffe6ab72b0c5a382b3898592b65ea77d5cc55c3d48c4d6daf0dd1b6febfcabc39295ca1126a33741f0a |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\prfdb.js
| MD5 | 9f352eb08ca3b66d4e31e388707b86db |
| SHA1 | ea73304fdb45da9075a315c581d6654dbab376c6 |
| SHA256 | 46a927bda123791b7343190d524bc8151aaff6465860634d0fb8762a34d74e08 |
| SHA512 | dcddc63e29d72f853fbd0d2559dcc33071b6b0c9a6f441fa5f6dcc03464c721426a232dc649b1e92595d072997896a1b81c7456dd043fb549a5c3839f2f396a1 |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\wx.xul
| MD5 | a269614da35864ed962e5b5a00f3f7c4 |
| SHA1 | 18c7ad3f9141821368d030675a0692eb4734e43d |
| SHA256 | 6fae6a30888459ace1e3531c08450a176e40ab020cee75bb26f682c6a20aa1b9 |
| SHA512 | dc5b70cd6ac123a6a6d83fdcde0f64b2958802221f514b9d56b1f917288dbd95623bb47a1565c55a31435c6a6fb6efdb47f91b75380681a38306faa4abbdad5a |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\eoopffnlgmjhikifbioccdjbkdlacpgm.crx
| MD5 | 456824274e4a20e77871da687f18b261 |
| SHA1 | a91d059d5aded47d4b45b914a2b30ac1f871d4d4 |
| SHA256 | 5e618cdcc45cf0a4f1c67c51cb337dfdedf672e53f9c6e5c36404fd315049210 |
| SHA512 | 0252448e570671aef4d4c4e402cca2c9d2153cce7379f60839c705a7a1959df905b57eb6563979c1423ec86dd198be1d6152f38d2615d0843cfeca0870d948eb |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\content.js
| MD5 | 050505d5a36465864ddc1f14853a3670 |
| SHA1 | 510d0c5bc52be97485cb982fe64bbf9f96745175 |
| SHA256 | 20c580d3f99fe0f9db9518c2d6d3f7600e8ae15328d656914324a9a110b56642 |
| SHA512 | cdb078895e8083f5198912bfef9dcf493006c5dfeabf675329512fb34a2a3f119abc67fa9217565144fccc724aedb01cb43a10b93873885901506ac861aa15c1 |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\background.html
| MD5 | 6bf2da25ada750d189d992d31fe21438 |
| SHA1 | d167c9f540a8c1aa4d01cd0d98da3e7a8ed0623d |
| SHA256 | df830a4bb70ea52e6ebecc489897ea99287ebae4ab281b2c9ee6374580a94e7c |
| SHA512 | 62bec2ec763f6bd168f9c70368cd90e4f070aa0474cf984827035a48ab3a76d58dabef18b4f257c7b9367eda37a0c0938c368dcb0a468dfe31c06c0ddb125f1d |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 03:53
Reported
2024-06-22 03:56
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1804 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe |
| PID 1804 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe |
| PID 1804 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe
.\setup.exe /s
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\settings.ini
| MD5 | cb3f9431d8b7326aff595fddc096315f |
| SHA1 | fccfeeb004a78ca2755f679e517bbfdc448213d1 |
| SHA256 | 26e4daafc10af61a5142feb5f4f0bad4cdd625457cc39eb3629d0ef783296f32 |
| SHA512 | 5077339cbac7022cbfe625579b2ba37496ae646e454d08aba87ceb3e8433b34728586c1c0a47cab0e8e7ca8ceeb40800211422e03c32af831c9368b3c86dfad0 |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\install.rdf
| MD5 | 5f00745a7f170c5da8b523a87d287d99 |
| SHA1 | 66da8b4f88114a6d5850983e36b442630c406d0b |
| SHA256 | 0078e0202a8752828bb9f60fc75478d245efdaa70ed03a162e45b407caf13c94 |
| SHA512 | f5caa50c2846651bdcbcb0abb580bc60a3077021bdbc5f76374c580a2710670aaea9a4c07765d63f64363b3578829f47663939f905131709afcc5c041351b04d |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\chrome.manifest
| MD5 | 23937200504744a48203c769727d436a |
| SHA1 | 6a971e804274299971b3cc19ffd11faea9455787 |
| SHA256 | 44472176b02fa1194e5be2528ac1f8a5e2ef4b6f3529375ba51382f5fb36af29 |
| SHA512 | 912a695f3f2838d14c8af9d992ae95146661303146628a9becd9ec2586c4e01b7454fa3cad26bacf0b7372c7e9b30a4498dbf16ddd32f7dab74d45e09fa488ad |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\indexeddb.js
| MD5 | 2e712400d103fc6987b654ee15cae5dc |
| SHA1 | f8db11a3bbf8bfe26c9481e21896ff2e15c01abb |
| SHA256 | 90f556b411ce4487853ce28a86e6e6c560e7249844c175882dbed86c52241222 |
| SHA512 | 6948ed6c4a290df84a9990669e97b8a923e9b0f05915ffa28de3271eee24ed74ff09adfb93c33742df5f147b33a36ae3a625034a70349c961e2ef5ce23e3735b |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\sqlite.js
| MD5 | 1994469223b1ecf923e65c031c1debd6 |
| SHA1 | c5be94e49a274a9acc011aec100ec68380037559 |
| SHA256 | 26c0ba17bab190349f51a98e7102e1cd4f21cfc9e42a82d6c964356422f1cfdc |
| SHA512 | 656cf623fdf5291999b2b8cb136bb1178fb79ccfcf534ffe6ab72b0c5a382b3898592b65ea77d5cc55c3d48c4d6daf0dd1b6febfcabc39295ca1126a33741f0a |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\prfdb.js
| MD5 | 9f352eb08ca3b66d4e31e388707b86db |
| SHA1 | ea73304fdb45da9075a315c581d6654dbab376c6 |
| SHA256 | 46a927bda123791b7343190d524bc8151aaff6465860634d0fb8762a34d74e08 |
| SHA512 | dcddc63e29d72f853fbd0d2559dcc33071b6b0c9a6f441fa5f6dcc03464c721426a232dc649b1e92595d072997896a1b81c7456dd043fb549a5c3839f2f396a1 |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\lsdb.js
| MD5 | 3c354274baedd36745463d2782eeb9cb |
| SHA1 | cffd992f21455895bb4268429083fbc6460db990 |
| SHA256 | 3f0f69db7d081ea6ff0fdf3e1b2ed1106e4298da1112e297f7502fd362953099 |
| SHA512 | 0f580ddd7121cd486ce088fc5930ca4caa04273bb0c67e2e5aa6d06b546bf1799bb7961d0ee89a6dc18215f2e6a64f92703ff700e1f8402bdf049193e0803e1c |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\jsext.js
| MD5 | f7e0876351b1622ca4695d845fbfede2 |
| SHA1 | 0ad75a153985d7c6e638dd444065de853df2f278 |
| SHA256 | fd0ffe28699074369165611e46ed3dc4ddb3d573666e9ee51a143d6162b66eb4 |
| SHA512 | c57f5c52cf024f7d731f7befc467aa5312fb8787c6a183773cfa60957d665c134bec2e98dfcb9a83af7f71179fb0824672133759ac4186621caf275f305d011b |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\wx.xul
| MD5 | a269614da35864ed962e5b5a00f3f7c4 |
| SHA1 | 18c7ad3f9141821368d030675a0692eb4734e43d |
| SHA256 | 6fae6a30888459ace1e3531c08450a176e40ab020cee75bb26f682c6a20aa1b9 |
| SHA512 | dc5b70cd6ac123a6a6d83fdcde0f64b2958802221f514b9d56b1f917288dbd95623bb47a1565c55a31435c6a6fb6efdb47f91b75380681a38306faa4abbdad5a |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\eoopffnlgmjhikifbioccdjbkdlacpgm.crx
| MD5 | 456824274e4a20e77871da687f18b261 |
| SHA1 | a91d059d5aded47d4b45b914a2b30ac1f871d4d4 |
| SHA256 | 5e618cdcc45cf0a4f1c67c51cb337dfdedf672e53f9c6e5c36404fd315049210 |
| SHA512 | 0252448e570671aef4d4c4e402cca2c9d2153cce7379f60839c705a7a1959df905b57eb6563979c1423ec86dd198be1d6152f38d2615d0843cfeca0870d948eb |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\background.html
| MD5 | 6bf2da25ada750d189d992d31fe21438 |
| SHA1 | d167c9f540a8c1aa4d01cd0d98da3e7a8ed0623d |
| SHA256 | df830a4bb70ea52e6ebecc489897ea99287ebae4ab281b2c9ee6374580a94e7c |
| SHA512 | 62bec2ec763f6bd168f9c70368cd90e4f070aa0474cf984827035a48ab3a76d58dabef18b4f257c7b9367eda37a0c0938c368dcb0a468dfe31c06c0ddb125f1d |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\content.js
| MD5 | 050505d5a36465864ddc1f14853a3670 |
| SHA1 | 510d0c5bc52be97485cb982fe64bbf9f96745175 |
| SHA256 | 20c580d3f99fe0f9db9518c2d6d3f7600e8ae15328d656914324a9a110b56642 |
| SHA512 | cdb078895e8083f5198912bfef9dcf493006c5dfeabf675329512fb34a2a3f119abc67fa9217565144fccc724aedb01cb43a10b93873885901506ac861aa15c1 |
C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |