Malware Analysis Report

2025-01-18 21:53

Sample ID 240622-emxcss1dkn
Target 012d90adf885aa8124938bb9c383fbb4_JaffaCakes118
SHA256 4bfa0ddc203d027a70f79e94cadf2c9f5e320c6237dfd4642b5fe0018b569e20
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4bfa0ddc203d027a70f79e94cadf2c9f5e320c6237dfd4642b5fe0018b569e20

Threat Level: Shows suspicious behavior

The file 012d90adf885aa8124938bb9c383fbb4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:04

Reported

2024-06-22 04:06

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast Class" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} = "1" C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\settings.ini

MD5 85225ffcca852362ddfa27194bfd6261
SHA1 5225731d17e11e2f07c8b4799362b45ae0f3c651
SHA256 eefd2bd9687ed7f1e50c53e287a17bf7390e71a2143609e449b5c9ea0f3e82ca
SHA512 dbf17b4829f194109b3a9d4d2358435b4308fe37626a2278424325a869aa08ed47de8fccdf142f527dd58136e2b1d96918b77bed44d2300231bc743d5171344e

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\chrome.manifest

MD5 1bfe7a3f23c9033296a43ae93ed1dc52
SHA1 529b026b23a17d7afce3cb97d21de89aa3d8121b
SHA256 413edeb3cf47bc32533adb14ac16dbd098dbc8b847ad20b050f61b368d137a64
SHA512 73e50ec2ef83694de3cb2763f825a95f0c13f2d1070d31d7d7eb2ce3f5cfe6817a38a4489c9fa374fb34ed7235b3bb9f3b371cd73dc2df0e7fd62177e6fd2d04

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\install.rdf

MD5 1442ade458da5752ea35c58206764775
SHA1 ad8316e9965ffc404e5ffd9f0bb0d82243b728d4
SHA256 626aa501a9a50729068ef58a774397628b46b9ad4a4570cf2f91e0d6f231689a
SHA512 1fc43d5d39a82782d59044ea2c4011f0bc5d7e279f11a4084f197011f2127f6c586e321ce83312787b12c5f6a6e937a834ea340ba64c3a15680b6295737c8baf

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\indexeddb.js

MD5 19e0f42e8bceeba74d39a0cbead3df83
SHA1 7ca305d3462d6cb85c2478eef501477499297f75
SHA256 111f9d48061de86a5a1b0145887c99db074170551e52de69ad3634c410535e73
SHA512 4e8dcc60627ff1cbfb3cfb2734ef006dc32903d7679f24fb2f29649f3780f85e57c69a6a1fd998217313a5aee0034b1457901cfbd9b8e702aae3681ff8acd349

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\lsdb.js

MD5 eb8b8a408df9cfe9fbeca4745ebb23e2
SHA1 119d0a46f96b97cf5b8f1a2d92b66586fc1dc1ce
SHA256 5643ba43c90dea2d29c115745c84bd4d86d73a7dd8ad99f8e0e9615962354b1c
SHA512 081d7ce49011cb9268ab64513563b3421f83f8545ba57e4ca54b1ef587a04a171dd8defc0b011c9c84c65bd007fe61ecff18b0a4f1630432c69e141624f51b31

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\jsext.js

MD5 2aa955aacb11ceccb9a0aa1381ce126f
SHA1 a8f6543f1eccabcb333fcb426879024efdd8061a
SHA256 8ba41aba22be9229e058f7ffca3589b8ddef5f38224ba6e3bebbf9273ee97c8f
SHA512 822bce2d8e17350398b736b9d01dc9c430891907e7f32beb0b1e9b0d54e3c3c81623c3e79971ec27a3803142ed6668aa087749ed3081e267cae7cbbd213f3590

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\sqlite.js

MD5 62a2769928891fa0e0bf60e3b40bdc9e
SHA1 0f437dd6309149553ac923dfb944bf402c30daf3
SHA256 9dce23fa4c14ce5068cd6802a762349a906104b01657cdd065266f1db7a74828
SHA512 75641daad7f6a2aa51d1462d9df14fe9df00b8be1804b37b05d57d77104ed47d83bd1f885502f34dc22b859095fe248a2f332f8a3c5ba60161d5327244255df3

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\prfdb.js

MD5 502a6fb4e487e3d06528e64514a03740
SHA1 a2d27fc6eb8c405a93af2f558ed25c94b100538a
SHA256 a313d72a11761a1b1577f430cde46b2bd3309fb676166477c26e9947d236b600
SHA512 94ddbc8219bdbe597f10b2adeee165ca19e33f06e3bf3f0df6f5ae25281e7b6cd4dd3855ed23cf013902714bd2ddd6ef7775997b48ab4abc0b58c632797977f5

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\wx.xul

MD5 0a64b40d393314f14887729203ee5d8e
SHA1 e0029b3c941fc7d6138e58f9636c82b8e0b59914
SHA256 166df273a239b7c6a38d2a58529ad52b818b2d5e3f912b4f422e3bd2ba9ad8f5
SHA512 2cd1b13ba1918fbf8c5729d3a067098fd61776042058e74b4f4dcc4aa57a9019cf987cbd33652b6cb8cf1e6c3930913e63afb00b0cbede02175ace74eedcef74

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\ipiebcfbondngialdnodbhlblnfcmjlb.crx

MD5 09afc5e327895324dedd30d0f64e0cc0
SHA1 f660a9914a6b14e5984da6275be9eeb91d3eefed
SHA256 fa64f32866ab7ce1a1757d4053923f4d81172cb729381567d383b5ea478b222b
SHA512 6fc5bd7e8f39ccc34897f849c45f9f84369d643da6cdb3250ae1246c3d10d9a6d88cca9d06b740294985762995aa3b03eb1dedef731803aa2a133c9b2a098635

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\background.html

MD5 22a1047c53d6729ed5797c8d3bca7db9
SHA1 d8ff6cf8b60c4a43966b15b5c895f8ac9b3c8956
SHA256 c0f8bf017be4fac9c8abafccb32be858fe693b391e92fd34f2f521fdb938ed10
SHA512 f392c4f3a9ae9040d4a92ac84281e6ee3c1b4d38087dfeaff945e251b8e78d53a852e1e757f06b158c894a9406cc0d208271f6bb212f5e3d087ca463848afaa7

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\content.js

MD5 7704e1ce318308964e7bf65def5fe280
SHA1 eb0ec96f5e095ef73f18d056e48801ec4026d65c
SHA256 6d9673b2ca073f11026954e95f069fbb37bea3019042c5ca2e1c3678755428b9
SHA512 4d9bea9df9bf7d0e29277121430145afebbfa1840f2f5ce03ed940dde3f7bceebc76799aab60ee4d0d4e60a190c8f65b5515d40f95e15c4115f77438c629d7d8

C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\wxDfast\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:04

Reported

2024-06-22 04:06

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast Class" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} = "1" C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\settings.ini

MD5 85225ffcca852362ddfa27194bfd6261
SHA1 5225731d17e11e2f07c8b4799362b45ae0f3c651
SHA256 eefd2bd9687ed7f1e50c53e287a17bf7390e71a2143609e449b5c9ea0f3e82ca
SHA512 dbf17b4829f194109b3a9d4d2358435b4308fe37626a2278424325a869aa08ed47de8fccdf142f527dd58136e2b1d96918b77bed44d2300231bc743d5171344e

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\chrome.manifest

MD5 1bfe7a3f23c9033296a43ae93ed1dc52
SHA1 529b026b23a17d7afce3cb97d21de89aa3d8121b
SHA256 413edeb3cf47bc32533adb14ac16dbd098dbc8b847ad20b050f61b368d137a64
SHA512 73e50ec2ef83694de3cb2763f825a95f0c13f2d1070d31d7d7eb2ce3f5cfe6817a38a4489c9fa374fb34ed7235b3bb9f3b371cd73dc2df0e7fd62177e6fd2d04

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\install.rdf

MD5 1442ade458da5752ea35c58206764775
SHA1 ad8316e9965ffc404e5ffd9f0bb0d82243b728d4
SHA256 626aa501a9a50729068ef58a774397628b46b9ad4a4570cf2f91e0d6f231689a
SHA512 1fc43d5d39a82782d59044ea2c4011f0bc5d7e279f11a4084f197011f2127f6c586e321ce83312787b12c5f6a6e937a834ea340ba64c3a15680b6295737c8baf

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\indexeddb.js

MD5 19e0f42e8bceeba74d39a0cbead3df83
SHA1 7ca305d3462d6cb85c2478eef501477499297f75
SHA256 111f9d48061de86a5a1b0145887c99db074170551e52de69ad3634c410535e73
SHA512 4e8dcc60627ff1cbfb3cfb2734ef006dc32903d7679f24fb2f29649f3780f85e57c69a6a1fd998217313a5aee0034b1457901cfbd9b8e702aae3681ff8acd349

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\jsext.js

MD5 2aa955aacb11ceccb9a0aa1381ce126f
SHA1 a8f6543f1eccabcb333fcb426879024efdd8061a
SHA256 8ba41aba22be9229e058f7ffca3589b8ddef5f38224ba6e3bebbf9273ee97c8f
SHA512 822bce2d8e17350398b736b9d01dc9c430891907e7f32beb0b1e9b0d54e3c3c81623c3e79971ec27a3803142ed6668aa087749ed3081e267cae7cbbd213f3590

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\sqlite.js

MD5 62a2769928891fa0e0bf60e3b40bdc9e
SHA1 0f437dd6309149553ac923dfb944bf402c30daf3
SHA256 9dce23fa4c14ce5068cd6802a762349a906104b01657cdd065266f1db7a74828
SHA512 75641daad7f6a2aa51d1462d9df14fe9df00b8be1804b37b05d57d77104ed47d83bd1f885502f34dc22b859095fe248a2f332f8a3c5ba60161d5327244255df3

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\prfdb.js

MD5 502a6fb4e487e3d06528e64514a03740
SHA1 a2d27fc6eb8c405a93af2f558ed25c94b100538a
SHA256 a313d72a11761a1b1577f430cde46b2bd3309fb676166477c26e9947d236b600
SHA512 94ddbc8219bdbe597f10b2adeee165ca19e33f06e3bf3f0df6f5ae25281e7b6cd4dd3855ed23cf013902714bd2ddd6ef7775997b48ab4abc0b58c632797977f5

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\lsdb.js

MD5 eb8b8a408df9cfe9fbeca4745ebb23e2
SHA1 119d0a46f96b97cf5b8f1a2d92b66586fc1dc1ce
SHA256 5643ba43c90dea2d29c115745c84bd4d86d73a7dd8ad99f8e0e9615962354b1c
SHA512 081d7ce49011cb9268ab64513563b3421f83f8545ba57e4ca54b1ef587a04a171dd8defc0b011c9c84c65bd007fe61ecff18b0a4f1630432c69e141624f51b31

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\wx.xul

MD5 0a64b40d393314f14887729203ee5d8e
SHA1 e0029b3c941fc7d6138e58f9636c82b8e0b59914
SHA256 166df273a239b7c6a38d2a58529ad52b818b2d5e3f912b4f422e3bd2ba9ad8f5
SHA512 2cd1b13ba1918fbf8c5729d3a067098fd61776042058e74b4f4dcc4aa57a9019cf987cbd33652b6cb8cf1e6c3930913e63afb00b0cbede02175ace74eedcef74

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\ipiebcfbondngialdnodbhlblnfcmjlb.crx

MD5 09afc5e327895324dedd30d0f64e0cc0
SHA1 f660a9914a6b14e5984da6275be9eeb91d3eefed
SHA256 fa64f32866ab7ce1a1757d4053923f4d81172cb729381567d383b5ea478b222b
SHA512 6fc5bd7e8f39ccc34897f849c45f9f84369d643da6cdb3250ae1246c3d10d9a6d88cca9d06b740294985762995aa3b03eb1dedef731803aa2a133c9b2a098635

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\background.html

MD5 22a1047c53d6729ed5797c8d3bca7db9
SHA1 d8ff6cf8b60c4a43966b15b5c895f8ac9b3c8956
SHA256 c0f8bf017be4fac9c8abafccb32be858fe693b391e92fd34f2f521fdb938ed10
SHA512 f392c4f3a9ae9040d4a92ac84281e6ee3c1b4d38087dfeaff945e251b8e78d53a852e1e757f06b158c894a9406cc0d208271f6bb212f5e3d087ca463848afaa7

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\content.js

MD5 7704e1ce318308964e7bf65def5fe280
SHA1 eb0ec96f5e095ef73f18d056e48801ec4026d65c
SHA256 6d9673b2ca073f11026954e95f069fbb37bea3019042c5ca2e1c3678755428b9
SHA512 4d9bea9df9bf7d0e29277121430145afebbfa1840f2f5ce03ed940dde3f7bceebc76799aab60ee4d0d4e60a190c8f65b5515d40f95e15c4115f77438c629d7d8

C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\wxDfast\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b