Malware Analysis Report

2025-01-18 22:03

Sample ID 240622-eft9vswhmh
Target 01255248cf04b0d2f08c8004910fbe79_JaffaCakes118
SHA256 fe54f319f3f1bbddd346add7112ec5fce34c50adf86bf8f24135b7af30847553
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fe54f319f3f1bbddd346add7112ec5fce34c50adf86bf8f24135b7af30847553

Threat Level: Shows suspicious behavior

The file 01255248cf04b0d2f08c8004910fbe79_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 03:53

Reported

2024-06-22 03:55

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING Class" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} = "1" C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\settings.ini

MD5 cb3f9431d8b7326aff595fddc096315f
SHA1 fccfeeb004a78ca2755f679e517bbfdc448213d1
SHA256 26e4daafc10af61a5142feb5f4f0bad4cdd625457cc39eb3629d0ef783296f32
SHA512 5077339cbac7022cbfe625579b2ba37496ae646e454d08aba87ceb3e8433b34728586c1c0a47cab0e8e7ca8ceeb40800211422e03c32af831c9368b3c86dfad0

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\chrome.manifest

MD5 23937200504744a48203c769727d436a
SHA1 6a971e804274299971b3cc19ffd11faea9455787
SHA256 44472176b02fa1194e5be2528ac1f8a5e2ef4b6f3529375ba51382f5fb36af29
SHA512 912a695f3f2838d14c8af9d992ae95146661303146628a9becd9ec2586c4e01b7454fa3cad26bacf0b7372c7e9b30a4498dbf16ddd32f7dab74d45e09fa488ad

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\install.rdf

MD5 5f00745a7f170c5da8b523a87d287d99
SHA1 66da8b4f88114a6d5850983e36b442630c406d0b
SHA256 0078e0202a8752828bb9f60fc75478d245efdaa70ed03a162e45b407caf13c94
SHA512 f5caa50c2846651bdcbcb0abb580bc60a3077021bdbc5f76374c580a2710670aaea9a4c07765d63f64363b3578829f47663939f905131709afcc5c041351b04d

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\indexeddb.js

MD5 2e712400d103fc6987b654ee15cae5dc
SHA1 f8db11a3bbf8bfe26c9481e21896ff2e15c01abb
SHA256 90f556b411ce4487853ce28a86e6e6c560e7249844c175882dbed86c52241222
SHA512 6948ed6c4a290df84a9990669e97b8a923e9b0f05915ffa28de3271eee24ed74ff09adfb93c33742df5f147b33a36ae3a625034a70349c961e2ef5ce23e3735b

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\lsdb.js

MD5 3c354274baedd36745463d2782eeb9cb
SHA1 cffd992f21455895bb4268429083fbc6460db990
SHA256 3f0f69db7d081ea6ff0fdf3e1b2ed1106e4298da1112e297f7502fd362953099
SHA512 0f580ddd7121cd486ce088fc5930ca4caa04273bb0c67e2e5aa6d06b546bf1799bb7961d0ee89a6dc18215f2e6a64f92703ff700e1f8402bdf049193e0803e1c

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\jsext.js

MD5 f7e0876351b1622ca4695d845fbfede2
SHA1 0ad75a153985d7c6e638dd444065de853df2f278
SHA256 fd0ffe28699074369165611e46ed3dc4ddb3d573666e9ee51a143d6162b66eb4
SHA512 c57f5c52cf024f7d731f7befc467aa5312fb8787c6a183773cfa60957d665c134bec2e98dfcb9a83af7f71179fb0824672133759ac4186621caf275f305d011b

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\sqlite.js

MD5 1994469223b1ecf923e65c031c1debd6
SHA1 c5be94e49a274a9acc011aec100ec68380037559
SHA256 26c0ba17bab190349f51a98e7102e1cd4f21cfc9e42a82d6c964356422f1cfdc
SHA512 656cf623fdf5291999b2b8cb136bb1178fb79ccfcf534ffe6ab72b0c5a382b3898592b65ea77d5cc55c3d48c4d6daf0dd1b6febfcabc39295ca1126a33741f0a

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\prfdb.js

MD5 9f352eb08ca3b66d4e31e388707b86db
SHA1 ea73304fdb45da9075a315c581d6654dbab376c6
SHA256 46a927bda123791b7343190d524bc8151aaff6465860634d0fb8762a34d74e08
SHA512 dcddc63e29d72f853fbd0d2559dcc33071b6b0c9a6f441fa5f6dcc03464c721426a232dc649b1e92595d072997896a1b81c7456dd043fb549a5c3839f2f396a1

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\[email protected]\content\wx.xul

MD5 a269614da35864ed962e5b5a00f3f7c4
SHA1 18c7ad3f9141821368d030675a0692eb4734e43d
SHA256 6fae6a30888459ace1e3531c08450a176e40ab020cee75bb26f682c6a20aa1b9
SHA512 dc5b70cd6ac123a6a6d83fdcde0f64b2958802221f514b9d56b1f917288dbd95623bb47a1565c55a31435c6a6fb6efdb47f91b75380681a38306faa4abbdad5a

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\eoopffnlgmjhikifbioccdjbkdlacpgm.crx

MD5 456824274e4a20e77871da687f18b261
SHA1 a91d059d5aded47d4b45b914a2b30ac1f871d4d4
SHA256 5e618cdcc45cf0a4f1c67c51cb337dfdedf672e53f9c6e5c36404fd315049210
SHA512 0252448e570671aef4d4c4e402cca2c9d2153cce7379f60839c705a7a1959df905b57eb6563979c1423ec86dd198be1d6152f38d2615d0843cfeca0870d948eb

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\content.js

MD5 050505d5a36465864ddc1f14853a3670
SHA1 510d0c5bc52be97485cb982fe64bbf9f96745175
SHA256 20c580d3f99fe0f9db9518c2d6d3f7600e8ae15328d656914324a9a110b56642
SHA512 cdb078895e8083f5198912bfef9dcf493006c5dfeabf675329512fb34a2a3f119abc67fa9217565144fccc724aedb01cb43a10b93873885901506ac861aa15c1

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\bhoclass.dll

MD5 4b35f6c1f932f52fa9901fbc47b432df
SHA1 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA256 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA512 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

C:\Users\Admin\AppData\Local\Temp\7zS1F92.tmp\background.html

MD5 6bf2da25ada750d189d992d31fe21438
SHA1 d167c9f540a8c1aa4d01cd0d98da3e7a8ed0623d
SHA256 df830a4bb70ea52e6ebecc489897ea99287ebae4ab281b2c9ee6374580a94e7c
SHA512 62bec2ec763f6bd168f9c70368cd90e4f070aa0474cf984827035a48ab3a76d58dabef18b4f257c7b9367eda37a0c0938c368dcb0a468dfe31c06c0ddb125f1d

C:\ProgramData\ADDICT-THING\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 03:53

Reported

2024-06-22 03:56

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ = "ADDICT-THING Class" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8CDAD028-4452-F7A4-AEA2-4EE48ABCB651} = "1" C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01255248cf04b0d2f08c8004910fbe79_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe

.\setup.exe /s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\settings.ini

MD5 cb3f9431d8b7326aff595fddc096315f
SHA1 fccfeeb004a78ca2755f679e517bbfdc448213d1
SHA256 26e4daafc10af61a5142feb5f4f0bad4cdd625457cc39eb3629d0ef783296f32
SHA512 5077339cbac7022cbfe625579b2ba37496ae646e454d08aba87ceb3e8433b34728586c1c0a47cab0e8e7ca8ceeb40800211422e03c32af831c9368b3c86dfad0

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\install.rdf

MD5 5f00745a7f170c5da8b523a87d287d99
SHA1 66da8b4f88114a6d5850983e36b442630c406d0b
SHA256 0078e0202a8752828bb9f60fc75478d245efdaa70ed03a162e45b407caf13c94
SHA512 f5caa50c2846651bdcbcb0abb580bc60a3077021bdbc5f76374c580a2710670aaea9a4c07765d63f64363b3578829f47663939f905131709afcc5c041351b04d

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\chrome.manifest

MD5 23937200504744a48203c769727d436a
SHA1 6a971e804274299971b3cc19ffd11faea9455787
SHA256 44472176b02fa1194e5be2528ac1f8a5e2ef4b6f3529375ba51382f5fb36af29
SHA512 912a695f3f2838d14c8af9d992ae95146661303146628a9becd9ec2586c4e01b7454fa3cad26bacf0b7372c7e9b30a4498dbf16ddd32f7dab74d45e09fa488ad

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\indexeddb.js

MD5 2e712400d103fc6987b654ee15cae5dc
SHA1 f8db11a3bbf8bfe26c9481e21896ff2e15c01abb
SHA256 90f556b411ce4487853ce28a86e6e6c560e7249844c175882dbed86c52241222
SHA512 6948ed6c4a290df84a9990669e97b8a923e9b0f05915ffa28de3271eee24ed74ff09adfb93c33742df5f147b33a36ae3a625034a70349c961e2ef5ce23e3735b

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\sqlite.js

MD5 1994469223b1ecf923e65c031c1debd6
SHA1 c5be94e49a274a9acc011aec100ec68380037559
SHA256 26c0ba17bab190349f51a98e7102e1cd4f21cfc9e42a82d6c964356422f1cfdc
SHA512 656cf623fdf5291999b2b8cb136bb1178fb79ccfcf534ffe6ab72b0c5a382b3898592b65ea77d5cc55c3d48c4d6daf0dd1b6febfcabc39295ca1126a33741f0a

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\prfdb.js

MD5 9f352eb08ca3b66d4e31e388707b86db
SHA1 ea73304fdb45da9075a315c581d6654dbab376c6
SHA256 46a927bda123791b7343190d524bc8151aaff6465860634d0fb8762a34d74e08
SHA512 dcddc63e29d72f853fbd0d2559dcc33071b6b0c9a6f441fa5f6dcc03464c721426a232dc649b1e92595d072997896a1b81c7456dd043fb549a5c3839f2f396a1

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\lsdb.js

MD5 3c354274baedd36745463d2782eeb9cb
SHA1 cffd992f21455895bb4268429083fbc6460db990
SHA256 3f0f69db7d081ea6ff0fdf3e1b2ed1106e4298da1112e297f7502fd362953099
SHA512 0f580ddd7121cd486ce088fc5930ca4caa04273bb0c67e2e5aa6d06b546bf1799bb7961d0ee89a6dc18215f2e6a64f92703ff700e1f8402bdf049193e0803e1c

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\jsext.js

MD5 f7e0876351b1622ca4695d845fbfede2
SHA1 0ad75a153985d7c6e638dd444065de853df2f278
SHA256 fd0ffe28699074369165611e46ed3dc4ddb3d573666e9ee51a143d6162b66eb4
SHA512 c57f5c52cf024f7d731f7befc467aa5312fb8787c6a183773cfa60957d665c134bec2e98dfcb9a83af7f71179fb0824672133759ac4186621caf275f305d011b

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\[email protected]\content\wx.xul

MD5 a269614da35864ed962e5b5a00f3f7c4
SHA1 18c7ad3f9141821368d030675a0692eb4734e43d
SHA256 6fae6a30888459ace1e3531c08450a176e40ab020cee75bb26f682c6a20aa1b9
SHA512 dc5b70cd6ac123a6a6d83fdcde0f64b2958802221f514b9d56b1f917288dbd95623bb47a1565c55a31435c6a6fb6efdb47f91b75380681a38306faa4abbdad5a

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\eoopffnlgmjhikifbioccdjbkdlacpgm.crx

MD5 456824274e4a20e77871da687f18b261
SHA1 a91d059d5aded47d4b45b914a2b30ac1f871d4d4
SHA256 5e618cdcc45cf0a4f1c67c51cb337dfdedf672e53f9c6e5c36404fd315049210
SHA512 0252448e570671aef4d4c4e402cca2c9d2153cce7379f60839c705a7a1959df905b57eb6563979c1423ec86dd198be1d6152f38d2615d0843cfeca0870d948eb

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\background.html

MD5 6bf2da25ada750d189d992d31fe21438
SHA1 d167c9f540a8c1aa4d01cd0d98da3e7a8ed0623d
SHA256 df830a4bb70ea52e6ebecc489897ea99287ebae4ab281b2c9ee6374580a94e7c
SHA512 62bec2ec763f6bd168f9c70368cd90e4f070aa0474cf984827035a48ab3a76d58dabef18b4f257c7b9367eda37a0c0938c368dcb0a468dfe31c06c0ddb125f1d

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\content.js

MD5 050505d5a36465864ddc1f14853a3670
SHA1 510d0c5bc52be97485cb982fe64bbf9f96745175
SHA256 20c580d3f99fe0f9db9518c2d6d3f7600e8ae15328d656914324a9a110b56642
SHA512 cdb078895e8083f5198912bfef9dcf493006c5dfeabf675329512fb34a2a3f119abc67fa9217565144fccc724aedb01cb43a10b93873885901506ac861aa15c1

C:\Users\Admin\AppData\Local\Temp\7zSF5.tmp\bhoclass.dll

MD5 4b35f6c1f932f52fa9901fbc47b432df
SHA1 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA256 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA512 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

C:\ProgramData\ADDICT-THING\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b