Analysis Overview
SHA256
6826c604c59fbbe4f38b137b97969fe0d3f8acaa08e717f83cfb94583d3d3e04
Threat Level: Shows suspicious behavior
The file 012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:02
Reported
2024-06-22 04:05
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv Class" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\settings.ini
| MD5 | 6f01294b88ac0cfc0237f661835ab7b4 |
| SHA1 | c4daf1b1e0a8699564d4c636d123b2013ce1de14 |
| SHA256 | 61493e6dcf15ad6cd3fe6bf94e81fdf95308fc86490292a64f1d0551f788e348 |
| SHA512 | e05e5873e893adecc1eff0a52edbc01239b0404d425611fd4f41f9e5541efef0d0c06c8b5104ba8811a4159b364db6f04f0097172041cc90a4a6462e96ff25bd |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\chrome.manifest
| MD5 | d4cebf9c12a2921bc6d00719e8534aba |
| SHA1 | 9aa6d560790a8aa8ea76d3ceb6ce26882381e59e |
| SHA256 | 5708c14695ca8b5999922335c269572ad18ba24b1a49431d6cb07088a79502c8 |
| SHA512 | 5c412a2bcbd037e6baa0310acb3f1ce352136137f113b2da53355c572fe0313a5bd11178d4491ab0dda3b00a3ed048bc6cd9673a9afb3b9e8ca32718ff78cee9 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\install.rdf
| MD5 | 6dbbaf967fa9dff036bfe60bf6824968 |
| SHA1 | 6e768ba75ff9b0d7f58083caf458f37a07d27bd3 |
| SHA256 | c631a3c7d8c33a2ead05a1c815e2b296c2822a2df28ea0752e139e77b7eadaa1 |
| SHA512 | d4ce46188457d5d8d24216da96ac3e6fd7987bd265365a662060978eeea8c1f1d3bda374fa6595c2ab422c65e9286dd346935b9b884efefcea268169424d04f5 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\indexeddb.js
| MD5 | fe63db9e0fd26cb53a8c721dcfb1ffbe |
| SHA1 | 7c28a55471bf8f2c9b93c79b7380fca3809ec2c0 |
| SHA256 | 6b457985391216a3a41728520154b0012022d5451d9cfb9e9a3a20845ed0197d |
| SHA512 | 9dd463e84500fa0ed6d94340cfec61da4cd8efa74d3a3690d9b933bdca2805c62601c61dd0aae9800e75e7a65b18342817289135775d3537ca7f8fde0082d013 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\jsext.js
| MD5 | b94670215d48ff4d399523dca371bda2 |
| SHA1 | 763a339471e1f6374086501889e64be3bdc8cedb |
| SHA256 | b5bf500090d87eecab280bffea9a5b958fff5a20f2be0d09772a124755820dfb |
| SHA512 | 7310d3cc5c72416581838569d36046fa38e4f4867e59d929011c5e402d6f7cb03ac5ee99ac98c6d32b64fa2c2e657eed0b3d46d612e441b2b10af497d8812e4d |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\lsdb.js
| MD5 | fad444c919985751203f45a4e0b8badb |
| SHA1 | 871c61fa1a6cdf32251153b475a93c94ea702b28 |
| SHA256 | 5ea4ccdccce414b73163b878731509336306e5bc61e9b8f11083cd1f61d1de9f |
| SHA512 | d8d3450c729e9f4c6816c9677b68452ccff4d84ea9a56136d2dc0feb8dd0cafc6b5c683b500e33f43728a8ee3b33e5ab0496c8617e25469f4b54252411915fe1 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\prfdb.js
| MD5 | e52df77fcb27a7f23d93f2f5fe6745f4 |
| SHA1 | 4c9bdb602532fc16cf0379c59ee59840e1d324a3 |
| SHA256 | 09292998fd3170519e5792b316fbdc6c8973c75e84cfae48f0c1928fff1344d1 |
| SHA512 | b573bd75ce7cda2fdf76a6232dfc9bb65a657776445171bdaedb2ed634c1371c7c223f557fac3a9762dff46da7a9137d10cb9123853e954fd85ce017c69dc243 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\sqlite.js
| MD5 | 69964c38004d6554f0e809c749198e6a |
| SHA1 | ee2e48cbf996779bc26323f6b9003f2845b768f2 |
| SHA256 | 07c19fa1dff6963bfd5673d340a04c8e872f1fe9e700f47e57f80c3e8eea6c8f |
| SHA512 | 998812d322cee9a2eda8f832a10243001381ffa793c03f80d18bbb2de8ef849c9e1528aa1ea0ca738994834d6b88d9d5ddcbcd13ec781719f949732c78a19c55 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\wx.xul
| MD5 | 71becbd8a3cbb50bab6ee361a34c3b98 |
| SHA1 | d45b972691b6ab3d6458336759bbf61a9f75f809 |
| SHA256 | 0f059be88cb188625e6e20dea45887d095d69c744ba6cea194806ff863af1b74 |
| SHA512 | f4c71d62843b9e2352fd895070895ac52cd6557b257cf7591c97507e8d449501636204bb6fa4a0f1b7e5cbdb4acc11ac28ceea942146a05f0f94f21776228a36 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\koddbiblfiepahkdkmcdiijkjnohjpgi.crx
| MD5 | 0eaa209843ddcbac66213f238da15732 |
| SHA1 | 7cbf77321bc93ad65854135d9ff7c5ffd7083a20 |
| SHA256 | c5a40a334df54647f25d389595dd0df64c91936bdf4d0eefa7dc6b6e1c12de79 |
| SHA512 | 4b6ff1b450204ba984cc292cf572f5eed02d704a90c9a1d8c8a62191a1ffe745da5e0f80efd753fd6b245c1e360050331e97bbc5ca5b742bb4956ade401dc2aa |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\background.html
| MD5 | ba3ec121a96c34464fc7bd1c285aec1f |
| SHA1 | 8f379017cef7e4140c091a234cafa5c4c4ced4d1 |
| SHA256 | 4b749a3654c33f23d5c727fb455ccc92a192cd44b0050e1b307049814bfb4949 |
| SHA512 | a19d3f4cd67b566b3f946f911d751647896d1d73b52195ac65b59439dc044fc3ff46d23a247a4e8ccd640275e4a1e330900ec337da1bad6faad626bfbf677150 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\content.js
| MD5 | b283052907215c49c81ff9b54508acb0 |
| SHA1 | 784f46c010ef991845309d799293aafff44b7528 |
| SHA256 | 226c6ffb95f1e2dd5dbb1b8cdcc60fef8c2475833722218ce5750a9879fcc6b7 |
| SHA512 | 59094cfb22edf5c859889ee836ccf60363f7fafd194fecb87700f57d95ef9adaae4e26da3781397b2d68e18aea8c3429efa1a8dd61d8014f3b33b2fdcbb86ef3 |
C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\Codecv\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:02
Reported
2024-06-22 04:05
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv Class" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2856 wrote to memory of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe |
| PID 2856 wrote to memory of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe |
| PID 2856 wrote to memory of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe
.\setup.exe /s
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\settings.ini
| MD5 | 6f01294b88ac0cfc0237f661835ab7b4 |
| SHA1 | c4daf1b1e0a8699564d4c636d123b2013ce1de14 |
| SHA256 | 61493e6dcf15ad6cd3fe6bf94e81fdf95308fc86490292a64f1d0551f788e348 |
| SHA512 | e05e5873e893adecc1eff0a52edbc01239b0404d425611fd4f41f9e5541efef0d0c06c8b5104ba8811a4159b364db6f04f0097172041cc90a4a6462e96ff25bd |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\chrome.manifest
| MD5 | d4cebf9c12a2921bc6d00719e8534aba |
| SHA1 | 9aa6d560790a8aa8ea76d3ceb6ce26882381e59e |
| SHA256 | 5708c14695ca8b5999922335c269572ad18ba24b1a49431d6cb07088a79502c8 |
| SHA512 | 5c412a2bcbd037e6baa0310acb3f1ce352136137f113b2da53355c572fe0313a5bd11178d4491ab0dda3b00a3ed048bc6cd9673a9afb3b9e8ca32718ff78cee9 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\install.rdf
| MD5 | 6dbbaf967fa9dff036bfe60bf6824968 |
| SHA1 | 6e768ba75ff9b0d7f58083caf458f37a07d27bd3 |
| SHA256 | c631a3c7d8c33a2ead05a1c815e2b296c2822a2df28ea0752e139e77b7eadaa1 |
| SHA512 | d4ce46188457d5d8d24216da96ac3e6fd7987bd265365a662060978eeea8c1f1d3bda374fa6595c2ab422c65e9286dd346935b9b884efefcea268169424d04f5 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\indexeddb.js
| MD5 | fe63db9e0fd26cb53a8c721dcfb1ffbe |
| SHA1 | 7c28a55471bf8f2c9b93c79b7380fca3809ec2c0 |
| SHA256 | 6b457985391216a3a41728520154b0012022d5451d9cfb9e9a3a20845ed0197d |
| SHA512 | 9dd463e84500fa0ed6d94340cfec61da4cd8efa74d3a3690d9b933bdca2805c62601c61dd0aae9800e75e7a65b18342817289135775d3537ca7f8fde0082d013 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\lsdb.js
| MD5 | fad444c919985751203f45a4e0b8badb |
| SHA1 | 871c61fa1a6cdf32251153b475a93c94ea702b28 |
| SHA256 | 5ea4ccdccce414b73163b878731509336306e5bc61e9b8f11083cd1f61d1de9f |
| SHA512 | d8d3450c729e9f4c6816c9677b68452ccff4d84ea9a56136d2dc0feb8dd0cafc6b5c683b500e33f43728a8ee3b33e5ab0496c8617e25469f4b54252411915fe1 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\jsext.js
| MD5 | b94670215d48ff4d399523dca371bda2 |
| SHA1 | 763a339471e1f6374086501889e64be3bdc8cedb |
| SHA256 | b5bf500090d87eecab280bffea9a5b958fff5a20f2be0d09772a124755820dfb |
| SHA512 | 7310d3cc5c72416581838569d36046fa38e4f4867e59d929011c5e402d6f7cb03ac5ee99ac98c6d32b64fa2c2e657eed0b3d46d612e441b2b10af497d8812e4d |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\prfdb.js
| MD5 | e52df77fcb27a7f23d93f2f5fe6745f4 |
| SHA1 | 4c9bdb602532fc16cf0379c59ee59840e1d324a3 |
| SHA256 | 09292998fd3170519e5792b316fbdc6c8973c75e84cfae48f0c1928fff1344d1 |
| SHA512 | b573bd75ce7cda2fdf76a6232dfc9bb65a657776445171bdaedb2ed634c1371c7c223f557fac3a9762dff46da7a9137d10cb9123853e954fd85ce017c69dc243 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\sqlite.js
| MD5 | 69964c38004d6554f0e809c749198e6a |
| SHA1 | ee2e48cbf996779bc26323f6b9003f2845b768f2 |
| SHA256 | 07c19fa1dff6963bfd5673d340a04c8e872f1fe9e700f47e57f80c3e8eea6c8f |
| SHA512 | 998812d322cee9a2eda8f832a10243001381ffa793c03f80d18bbb2de8ef849c9e1528aa1ea0ca738994834d6b88d9d5ddcbcd13ec781719f949732c78a19c55 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\wx.xul
| MD5 | 71becbd8a3cbb50bab6ee361a34c3b98 |
| SHA1 | d45b972691b6ab3d6458336759bbf61a9f75f809 |
| SHA256 | 0f059be88cb188625e6e20dea45887d095d69c744ba6cea194806ff863af1b74 |
| SHA512 | f4c71d62843b9e2352fd895070895ac52cd6557b257cf7591c97507e8d449501636204bb6fa4a0f1b7e5cbdb4acc11ac28ceea942146a05f0f94f21776228a36 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\koddbiblfiepahkdkmcdiijkjnohjpgi.crx
| MD5 | 0eaa209843ddcbac66213f238da15732 |
| SHA1 | 7cbf77321bc93ad65854135d9ff7c5ffd7083a20 |
| SHA256 | c5a40a334df54647f25d389595dd0df64c91936bdf4d0eefa7dc6b6e1c12de79 |
| SHA512 | 4b6ff1b450204ba984cc292cf572f5eed02d704a90c9a1d8c8a62191a1ffe745da5e0f80efd753fd6b245c1e360050331e97bbc5ca5b742bb4956ade401dc2aa |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\background.html
| MD5 | ba3ec121a96c34464fc7bd1c285aec1f |
| SHA1 | 8f379017cef7e4140c091a234cafa5c4c4ced4d1 |
| SHA256 | 4b749a3654c33f23d5c727fb455ccc92a192cd44b0050e1b307049814bfb4949 |
| SHA512 | a19d3f4cd67b566b3f946f911d751647896d1d73b52195ac65b59439dc044fc3ff46d23a247a4e8ccd640275e4a1e330900ec337da1bad6faad626bfbf677150 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\content.js
| MD5 | b283052907215c49c81ff9b54508acb0 |
| SHA1 | 784f46c010ef991845309d799293aafff44b7528 |
| SHA256 | 226c6ffb95f1e2dd5dbb1b8cdcc60fef8c2475833722218ce5750a9879fcc6b7 |
| SHA512 | 59094cfb22edf5c859889ee836ccf60363f7fafd194fecb87700f57d95ef9adaae4e26da3781397b2d68e18aea8c3429efa1a8dd61d8014f3b33b2fdcbb86ef3 |
C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\Codecv\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |