Malware Analysis Report

2025-01-18 21:53

Sample ID 240622-el3s7a1cqm
Target 012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118
SHA256 6826c604c59fbbe4f38b137b97969fe0d3f8acaa08e717f83cfb94583d3d3e04
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6826c604c59fbbe4f38b137b97969fe0d3f8acaa08e717f83cfb94583d3d3e04

Threat Level: Shows suspicious behavior

The file 012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:02

Reported

2024-06-22 04:05

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv Class" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} = "1" C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\settings.ini

MD5 6f01294b88ac0cfc0237f661835ab7b4
SHA1 c4daf1b1e0a8699564d4c636d123b2013ce1de14
SHA256 61493e6dcf15ad6cd3fe6bf94e81fdf95308fc86490292a64f1d0551f788e348
SHA512 e05e5873e893adecc1eff0a52edbc01239b0404d425611fd4f41f9e5541efef0d0c06c8b5104ba8811a4159b364db6f04f0097172041cc90a4a6462e96ff25bd

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\chrome.manifest

MD5 d4cebf9c12a2921bc6d00719e8534aba
SHA1 9aa6d560790a8aa8ea76d3ceb6ce26882381e59e
SHA256 5708c14695ca8b5999922335c269572ad18ba24b1a49431d6cb07088a79502c8
SHA512 5c412a2bcbd037e6baa0310acb3f1ce352136137f113b2da53355c572fe0313a5bd11178d4491ab0dda3b00a3ed048bc6cd9673a9afb3b9e8ca32718ff78cee9

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\install.rdf

MD5 6dbbaf967fa9dff036bfe60bf6824968
SHA1 6e768ba75ff9b0d7f58083caf458f37a07d27bd3
SHA256 c631a3c7d8c33a2ead05a1c815e2b296c2822a2df28ea0752e139e77b7eadaa1
SHA512 d4ce46188457d5d8d24216da96ac3e6fd7987bd265365a662060978eeea8c1f1d3bda374fa6595c2ab422c65e9286dd346935b9b884efefcea268169424d04f5

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\indexeddb.js

MD5 fe63db9e0fd26cb53a8c721dcfb1ffbe
SHA1 7c28a55471bf8f2c9b93c79b7380fca3809ec2c0
SHA256 6b457985391216a3a41728520154b0012022d5451d9cfb9e9a3a20845ed0197d
SHA512 9dd463e84500fa0ed6d94340cfec61da4cd8efa74d3a3690d9b933bdca2805c62601c61dd0aae9800e75e7a65b18342817289135775d3537ca7f8fde0082d013

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\jsext.js

MD5 b94670215d48ff4d399523dca371bda2
SHA1 763a339471e1f6374086501889e64be3bdc8cedb
SHA256 b5bf500090d87eecab280bffea9a5b958fff5a20f2be0d09772a124755820dfb
SHA512 7310d3cc5c72416581838569d36046fa38e4f4867e59d929011c5e402d6f7cb03ac5ee99ac98c6d32b64fa2c2e657eed0b3d46d612e441b2b10af497d8812e4d

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\lsdb.js

MD5 fad444c919985751203f45a4e0b8badb
SHA1 871c61fa1a6cdf32251153b475a93c94ea702b28
SHA256 5ea4ccdccce414b73163b878731509336306e5bc61e9b8f11083cd1f61d1de9f
SHA512 d8d3450c729e9f4c6816c9677b68452ccff4d84ea9a56136d2dc0feb8dd0cafc6b5c683b500e33f43728a8ee3b33e5ab0496c8617e25469f4b54252411915fe1

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\prfdb.js

MD5 e52df77fcb27a7f23d93f2f5fe6745f4
SHA1 4c9bdb602532fc16cf0379c59ee59840e1d324a3
SHA256 09292998fd3170519e5792b316fbdc6c8973c75e84cfae48f0c1928fff1344d1
SHA512 b573bd75ce7cda2fdf76a6232dfc9bb65a657776445171bdaedb2ed634c1371c7c223f557fac3a9762dff46da7a9137d10cb9123853e954fd85ce017c69dc243

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\sqlite.js

MD5 69964c38004d6554f0e809c749198e6a
SHA1 ee2e48cbf996779bc26323f6b9003f2845b768f2
SHA256 07c19fa1dff6963bfd5673d340a04c8e872f1fe9e700f47e57f80c3e8eea6c8f
SHA512 998812d322cee9a2eda8f832a10243001381ffa793c03f80d18bbb2de8ef849c9e1528aa1ea0ca738994834d6b88d9d5ddcbcd13ec781719f949732c78a19c55

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\[email protected]\content\wx.xul

MD5 71becbd8a3cbb50bab6ee361a34c3b98
SHA1 d45b972691b6ab3d6458336759bbf61a9f75f809
SHA256 0f059be88cb188625e6e20dea45887d095d69c744ba6cea194806ff863af1b74
SHA512 f4c71d62843b9e2352fd895070895ac52cd6557b257cf7591c97507e8d449501636204bb6fa4a0f1b7e5cbdb4acc11ac28ceea942146a05f0f94f21776228a36

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\koddbiblfiepahkdkmcdiijkjnohjpgi.crx

MD5 0eaa209843ddcbac66213f238da15732
SHA1 7cbf77321bc93ad65854135d9ff7c5ffd7083a20
SHA256 c5a40a334df54647f25d389595dd0df64c91936bdf4d0eefa7dc6b6e1c12de79
SHA512 4b6ff1b450204ba984cc292cf572f5eed02d704a90c9a1d8c8a62191a1ffe745da5e0f80efd753fd6b245c1e360050331e97bbc5ca5b742bb4956ade401dc2aa

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\background.html

MD5 ba3ec121a96c34464fc7bd1c285aec1f
SHA1 8f379017cef7e4140c091a234cafa5c4c4ced4d1
SHA256 4b749a3654c33f23d5c727fb455ccc92a192cd44b0050e1b307049814bfb4949
SHA512 a19d3f4cd67b566b3f946f911d751647896d1d73b52195ac65b59439dc044fc3ff46d23a247a4e8ccd640275e4a1e330900ec337da1bad6faad626bfbf677150

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\content.js

MD5 b283052907215c49c81ff9b54508acb0
SHA1 784f46c010ef991845309d799293aafff44b7528
SHA256 226c6ffb95f1e2dd5dbb1b8cdcc60fef8c2475833722218ce5750a9879fcc6b7
SHA512 59094cfb22edf5c859889ee836ccf60363f7fafd194fecb87700f57d95ef9adaae4e26da3781397b2d68e18aea8c3429efa1a8dd61d8014f3b33b2fdcbb86ef3

C:\Users\Admin\AppData\Local\Temp\7zS31AB.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\Codecv\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:02

Reported

2024-06-22 04:05

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ = "Codecv Class" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{43F425CB-2733-F60B-18DC-EC39D665A42B}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{43F425CB-2733-F60B-18DC-EC39D665A42B} = "1" C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012c5b4002fe2eeadfac307e15b0e5f4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe

.\setup.exe /s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\settings.ini

MD5 6f01294b88ac0cfc0237f661835ab7b4
SHA1 c4daf1b1e0a8699564d4c636d123b2013ce1de14
SHA256 61493e6dcf15ad6cd3fe6bf94e81fdf95308fc86490292a64f1d0551f788e348
SHA512 e05e5873e893adecc1eff0a52edbc01239b0404d425611fd4f41f9e5541efef0d0c06c8b5104ba8811a4159b364db6f04f0097172041cc90a4a6462e96ff25bd

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\chrome.manifest

MD5 d4cebf9c12a2921bc6d00719e8534aba
SHA1 9aa6d560790a8aa8ea76d3ceb6ce26882381e59e
SHA256 5708c14695ca8b5999922335c269572ad18ba24b1a49431d6cb07088a79502c8
SHA512 5c412a2bcbd037e6baa0310acb3f1ce352136137f113b2da53355c572fe0313a5bd11178d4491ab0dda3b00a3ed048bc6cd9673a9afb3b9e8ca32718ff78cee9

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\install.rdf

MD5 6dbbaf967fa9dff036bfe60bf6824968
SHA1 6e768ba75ff9b0d7f58083caf458f37a07d27bd3
SHA256 c631a3c7d8c33a2ead05a1c815e2b296c2822a2df28ea0752e139e77b7eadaa1
SHA512 d4ce46188457d5d8d24216da96ac3e6fd7987bd265365a662060978eeea8c1f1d3bda374fa6595c2ab422c65e9286dd346935b9b884efefcea268169424d04f5

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\indexeddb.js

MD5 fe63db9e0fd26cb53a8c721dcfb1ffbe
SHA1 7c28a55471bf8f2c9b93c79b7380fca3809ec2c0
SHA256 6b457985391216a3a41728520154b0012022d5451d9cfb9e9a3a20845ed0197d
SHA512 9dd463e84500fa0ed6d94340cfec61da4cd8efa74d3a3690d9b933bdca2805c62601c61dd0aae9800e75e7a65b18342817289135775d3537ca7f8fde0082d013

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\lsdb.js

MD5 fad444c919985751203f45a4e0b8badb
SHA1 871c61fa1a6cdf32251153b475a93c94ea702b28
SHA256 5ea4ccdccce414b73163b878731509336306e5bc61e9b8f11083cd1f61d1de9f
SHA512 d8d3450c729e9f4c6816c9677b68452ccff4d84ea9a56136d2dc0feb8dd0cafc6b5c683b500e33f43728a8ee3b33e5ab0496c8617e25469f4b54252411915fe1

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\jsext.js

MD5 b94670215d48ff4d399523dca371bda2
SHA1 763a339471e1f6374086501889e64be3bdc8cedb
SHA256 b5bf500090d87eecab280bffea9a5b958fff5a20f2be0d09772a124755820dfb
SHA512 7310d3cc5c72416581838569d36046fa38e4f4867e59d929011c5e402d6f7cb03ac5ee99ac98c6d32b64fa2c2e657eed0b3d46d612e441b2b10af497d8812e4d

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\prfdb.js

MD5 e52df77fcb27a7f23d93f2f5fe6745f4
SHA1 4c9bdb602532fc16cf0379c59ee59840e1d324a3
SHA256 09292998fd3170519e5792b316fbdc6c8973c75e84cfae48f0c1928fff1344d1
SHA512 b573bd75ce7cda2fdf76a6232dfc9bb65a657776445171bdaedb2ed634c1371c7c223f557fac3a9762dff46da7a9137d10cb9123853e954fd85ce017c69dc243

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\sqlite.js

MD5 69964c38004d6554f0e809c749198e6a
SHA1 ee2e48cbf996779bc26323f6b9003f2845b768f2
SHA256 07c19fa1dff6963bfd5673d340a04c8e872f1fe9e700f47e57f80c3e8eea6c8f
SHA512 998812d322cee9a2eda8f832a10243001381ffa793c03f80d18bbb2de8ef849c9e1528aa1ea0ca738994834d6b88d9d5ddcbcd13ec781719f949732c78a19c55

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\[email protected]\content\wx.xul

MD5 71becbd8a3cbb50bab6ee361a34c3b98
SHA1 d45b972691b6ab3d6458336759bbf61a9f75f809
SHA256 0f059be88cb188625e6e20dea45887d095d69c744ba6cea194806ff863af1b74
SHA512 f4c71d62843b9e2352fd895070895ac52cd6557b257cf7591c97507e8d449501636204bb6fa4a0f1b7e5cbdb4acc11ac28ceea942146a05f0f94f21776228a36

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\koddbiblfiepahkdkmcdiijkjnohjpgi.crx

MD5 0eaa209843ddcbac66213f238da15732
SHA1 7cbf77321bc93ad65854135d9ff7c5ffd7083a20
SHA256 c5a40a334df54647f25d389595dd0df64c91936bdf4d0eefa7dc6b6e1c12de79
SHA512 4b6ff1b450204ba984cc292cf572f5eed02d704a90c9a1d8c8a62191a1ffe745da5e0f80efd753fd6b245c1e360050331e97bbc5ca5b742bb4956ade401dc2aa

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\background.html

MD5 ba3ec121a96c34464fc7bd1c285aec1f
SHA1 8f379017cef7e4140c091a234cafa5c4c4ced4d1
SHA256 4b749a3654c33f23d5c727fb455ccc92a192cd44b0050e1b307049814bfb4949
SHA512 a19d3f4cd67b566b3f946f911d751647896d1d73b52195ac65b59439dc044fc3ff46d23a247a4e8ccd640275e4a1e330900ec337da1bad6faad626bfbf677150

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\content.js

MD5 b283052907215c49c81ff9b54508acb0
SHA1 784f46c010ef991845309d799293aafff44b7528
SHA256 226c6ffb95f1e2dd5dbb1b8cdcc60fef8c2475833722218ce5750a9879fcc6b7
SHA512 59094cfb22edf5c859889ee836ccf60363f7fafd194fecb87700f57d95ef9adaae4e26da3781397b2d68e18aea8c3429efa1a8dd61d8014f3b33b2fdcbb86ef3

C:\Users\Admin\AppData\Local\Temp\7zSE1A5.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\Codecv\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b