Analysis Overview
SHA256
4bfa0ddc203d027a70f79e94cadf2c9f5e320c6237dfd4642b5fe0018b569e20
Threat Level: Shows suspicious behavior
The file 012d90adf885aa8124938bb9c383fbb4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious use of WriteProcessMemory
Modifies registry class
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:04
Reported
2024-06-22 04:06
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\settings.ini
| MD5 | 85225ffcca852362ddfa27194bfd6261 |
| SHA1 | 5225731d17e11e2f07c8b4799362b45ae0f3c651 |
| SHA256 | eefd2bd9687ed7f1e50c53e287a17bf7390e71a2143609e449b5c9ea0f3e82ca |
| SHA512 | dbf17b4829f194109b3a9d4d2358435b4308fe37626a2278424325a869aa08ed47de8fccdf142f527dd58136e2b1d96918b77bed44d2300231bc743d5171344e |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\chrome.manifest
| MD5 | 1bfe7a3f23c9033296a43ae93ed1dc52 |
| SHA1 | 529b026b23a17d7afce3cb97d21de89aa3d8121b |
| SHA256 | 413edeb3cf47bc32533adb14ac16dbd098dbc8b847ad20b050f61b368d137a64 |
| SHA512 | 73e50ec2ef83694de3cb2763f825a95f0c13f2d1070d31d7d7eb2ce3f5cfe6817a38a4489c9fa374fb34ed7235b3bb9f3b371cd73dc2df0e7fd62177e6fd2d04 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\install.rdf
| MD5 | 1442ade458da5752ea35c58206764775 |
| SHA1 | ad8316e9965ffc404e5ffd9f0bb0d82243b728d4 |
| SHA256 | 626aa501a9a50729068ef58a774397628b46b9ad4a4570cf2f91e0d6f231689a |
| SHA512 | 1fc43d5d39a82782d59044ea2c4011f0bc5d7e279f11a4084f197011f2127f6c586e321ce83312787b12c5f6a6e937a834ea340ba64c3a15680b6295737c8baf |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\indexeddb.js
| MD5 | 19e0f42e8bceeba74d39a0cbead3df83 |
| SHA1 | 7ca305d3462d6cb85c2478eef501477499297f75 |
| SHA256 | 111f9d48061de86a5a1b0145887c99db074170551e52de69ad3634c410535e73 |
| SHA512 | 4e8dcc60627ff1cbfb3cfb2734ef006dc32903d7679f24fb2f29649f3780f85e57c69a6a1fd998217313a5aee0034b1457901cfbd9b8e702aae3681ff8acd349 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\lsdb.js
| MD5 | eb8b8a408df9cfe9fbeca4745ebb23e2 |
| SHA1 | 119d0a46f96b97cf5b8f1a2d92b66586fc1dc1ce |
| SHA256 | 5643ba43c90dea2d29c115745c84bd4d86d73a7dd8ad99f8e0e9615962354b1c |
| SHA512 | 081d7ce49011cb9268ab64513563b3421f83f8545ba57e4ca54b1ef587a04a171dd8defc0b011c9c84c65bd007fe61ecff18b0a4f1630432c69e141624f51b31 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\jsext.js
| MD5 | 2aa955aacb11ceccb9a0aa1381ce126f |
| SHA1 | a8f6543f1eccabcb333fcb426879024efdd8061a |
| SHA256 | 8ba41aba22be9229e058f7ffca3589b8ddef5f38224ba6e3bebbf9273ee97c8f |
| SHA512 | 822bce2d8e17350398b736b9d01dc9c430891907e7f32beb0b1e9b0d54e3c3c81623c3e79971ec27a3803142ed6668aa087749ed3081e267cae7cbbd213f3590 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\sqlite.js
| MD5 | 62a2769928891fa0e0bf60e3b40bdc9e |
| SHA1 | 0f437dd6309149553ac923dfb944bf402c30daf3 |
| SHA256 | 9dce23fa4c14ce5068cd6802a762349a906104b01657cdd065266f1db7a74828 |
| SHA512 | 75641daad7f6a2aa51d1462d9df14fe9df00b8be1804b37b05d57d77104ed47d83bd1f885502f34dc22b859095fe248a2f332f8a3c5ba60161d5327244255df3 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\prfdb.js
| MD5 | 502a6fb4e487e3d06528e64514a03740 |
| SHA1 | a2d27fc6eb8c405a93af2f558ed25c94b100538a |
| SHA256 | a313d72a11761a1b1577f430cde46b2bd3309fb676166477c26e9947d236b600 |
| SHA512 | 94ddbc8219bdbe597f10b2adeee165ca19e33f06e3bf3f0df6f5ae25281e7b6cd4dd3855ed23cf013902714bd2ddd6ef7775997b48ab4abc0b58c632797977f5 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\[email protected]\content\wx.xul
| MD5 | 0a64b40d393314f14887729203ee5d8e |
| SHA1 | e0029b3c941fc7d6138e58f9636c82b8e0b59914 |
| SHA256 | 166df273a239b7c6a38d2a58529ad52b818b2d5e3f912b4f422e3bd2ba9ad8f5 |
| SHA512 | 2cd1b13ba1918fbf8c5729d3a067098fd61776042058e74b4f4dcc4aa57a9019cf987cbd33652b6cb8cf1e6c3930913e63afb00b0cbede02175ace74eedcef74 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\ipiebcfbondngialdnodbhlblnfcmjlb.crx
| MD5 | 09afc5e327895324dedd30d0f64e0cc0 |
| SHA1 | f660a9914a6b14e5984da6275be9eeb91d3eefed |
| SHA256 | fa64f32866ab7ce1a1757d4053923f4d81172cb729381567d383b5ea478b222b |
| SHA512 | 6fc5bd7e8f39ccc34897f849c45f9f84369d643da6cdb3250ae1246c3d10d9a6d88cca9d06b740294985762995aa3b03eb1dedef731803aa2a133c9b2a098635 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\background.html
| MD5 | 22a1047c53d6729ed5797c8d3bca7db9 |
| SHA1 | d8ff6cf8b60c4a43966b15b5c895f8ac9b3c8956 |
| SHA256 | c0f8bf017be4fac9c8abafccb32be858fe693b391e92fd34f2f521fdb938ed10 |
| SHA512 | f392c4f3a9ae9040d4a92ac84281e6ee3c1b4d38087dfeaff945e251b8e78d53a852e1e757f06b158c894a9406cc0d208271f6bb212f5e3d087ca463848afaa7 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\content.js
| MD5 | 7704e1ce318308964e7bf65def5fe280 |
| SHA1 | eb0ec96f5e095ef73f18d056e48801ec4026d65c |
| SHA256 | 6d9673b2ca073f11026954e95f069fbb37bea3019042c5ca2e1c3678755428b9 |
| SHA512 | 4d9bea9df9bf7d0e29277121430145afebbfa1840f2f5ce03ed940dde3f7bceebc76799aab60ee4d0d4e60a190c8f65b5515d40f95e15c4115f77438c629d7d8 |
C:\Users\Admin\AppData\Local\Temp\7zS12F4.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:04
Reported
2024-06-22 04:06
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2516C490-141C-18E1-C995-F38DE768796D}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2516C490-141C-18E1-C995-F38DE768796D}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe |
| PID 3560 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe |
| PID 3560 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2516C490-141C-18E1-C995-F38DE768796D} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012d90adf885aa8124938bb9c383fbb4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\settings.ini
| MD5 | 85225ffcca852362ddfa27194bfd6261 |
| SHA1 | 5225731d17e11e2f07c8b4799362b45ae0f3c651 |
| SHA256 | eefd2bd9687ed7f1e50c53e287a17bf7390e71a2143609e449b5c9ea0f3e82ca |
| SHA512 | dbf17b4829f194109b3a9d4d2358435b4308fe37626a2278424325a869aa08ed47de8fccdf142f527dd58136e2b1d96918b77bed44d2300231bc743d5171344e |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\chrome.manifest
| MD5 | 1bfe7a3f23c9033296a43ae93ed1dc52 |
| SHA1 | 529b026b23a17d7afce3cb97d21de89aa3d8121b |
| SHA256 | 413edeb3cf47bc32533adb14ac16dbd098dbc8b847ad20b050f61b368d137a64 |
| SHA512 | 73e50ec2ef83694de3cb2763f825a95f0c13f2d1070d31d7d7eb2ce3f5cfe6817a38a4489c9fa374fb34ed7235b3bb9f3b371cd73dc2df0e7fd62177e6fd2d04 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\install.rdf
| MD5 | 1442ade458da5752ea35c58206764775 |
| SHA1 | ad8316e9965ffc404e5ffd9f0bb0d82243b728d4 |
| SHA256 | 626aa501a9a50729068ef58a774397628b46b9ad4a4570cf2f91e0d6f231689a |
| SHA512 | 1fc43d5d39a82782d59044ea2c4011f0bc5d7e279f11a4084f197011f2127f6c586e321ce83312787b12c5f6a6e937a834ea340ba64c3a15680b6295737c8baf |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\indexeddb.js
| MD5 | 19e0f42e8bceeba74d39a0cbead3df83 |
| SHA1 | 7ca305d3462d6cb85c2478eef501477499297f75 |
| SHA256 | 111f9d48061de86a5a1b0145887c99db074170551e52de69ad3634c410535e73 |
| SHA512 | 4e8dcc60627ff1cbfb3cfb2734ef006dc32903d7679f24fb2f29649f3780f85e57c69a6a1fd998217313a5aee0034b1457901cfbd9b8e702aae3681ff8acd349 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\jsext.js
| MD5 | 2aa955aacb11ceccb9a0aa1381ce126f |
| SHA1 | a8f6543f1eccabcb333fcb426879024efdd8061a |
| SHA256 | 8ba41aba22be9229e058f7ffca3589b8ddef5f38224ba6e3bebbf9273ee97c8f |
| SHA512 | 822bce2d8e17350398b736b9d01dc9c430891907e7f32beb0b1e9b0d54e3c3c81623c3e79971ec27a3803142ed6668aa087749ed3081e267cae7cbbd213f3590 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\sqlite.js
| MD5 | 62a2769928891fa0e0bf60e3b40bdc9e |
| SHA1 | 0f437dd6309149553ac923dfb944bf402c30daf3 |
| SHA256 | 9dce23fa4c14ce5068cd6802a762349a906104b01657cdd065266f1db7a74828 |
| SHA512 | 75641daad7f6a2aa51d1462d9df14fe9df00b8be1804b37b05d57d77104ed47d83bd1f885502f34dc22b859095fe248a2f332f8a3c5ba60161d5327244255df3 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\prfdb.js
| MD5 | 502a6fb4e487e3d06528e64514a03740 |
| SHA1 | a2d27fc6eb8c405a93af2f558ed25c94b100538a |
| SHA256 | a313d72a11761a1b1577f430cde46b2bd3309fb676166477c26e9947d236b600 |
| SHA512 | 94ddbc8219bdbe597f10b2adeee165ca19e33f06e3bf3f0df6f5ae25281e7b6cd4dd3855ed23cf013902714bd2ddd6ef7775997b48ab4abc0b58c632797977f5 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\lsdb.js
| MD5 | eb8b8a408df9cfe9fbeca4745ebb23e2 |
| SHA1 | 119d0a46f96b97cf5b8f1a2d92b66586fc1dc1ce |
| SHA256 | 5643ba43c90dea2d29c115745c84bd4d86d73a7dd8ad99f8e0e9615962354b1c |
| SHA512 | 081d7ce49011cb9268ab64513563b3421f83f8545ba57e4ca54b1ef587a04a171dd8defc0b011c9c84c65bd007fe61ecff18b0a4f1630432c69e141624f51b31 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\[email protected]\content\wx.xul
| MD5 | 0a64b40d393314f14887729203ee5d8e |
| SHA1 | e0029b3c941fc7d6138e58f9636c82b8e0b59914 |
| SHA256 | 166df273a239b7c6a38d2a58529ad52b818b2d5e3f912b4f422e3bd2ba9ad8f5 |
| SHA512 | 2cd1b13ba1918fbf8c5729d3a067098fd61776042058e74b4f4dcc4aa57a9019cf987cbd33652b6cb8cf1e6c3930913e63afb00b0cbede02175ace74eedcef74 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\ipiebcfbondngialdnodbhlblnfcmjlb.crx
| MD5 | 09afc5e327895324dedd30d0f64e0cc0 |
| SHA1 | f660a9914a6b14e5984da6275be9eeb91d3eefed |
| SHA256 | fa64f32866ab7ce1a1757d4053923f4d81172cb729381567d383b5ea478b222b |
| SHA512 | 6fc5bd7e8f39ccc34897f849c45f9f84369d643da6cdb3250ae1246c3d10d9a6d88cca9d06b740294985762995aa3b03eb1dedef731803aa2a133c9b2a098635 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\background.html
| MD5 | 22a1047c53d6729ed5797c8d3bca7db9 |
| SHA1 | d8ff6cf8b60c4a43966b15b5c895f8ac9b3c8956 |
| SHA256 | c0f8bf017be4fac9c8abafccb32be858fe693b391e92fd34f2f521fdb938ed10 |
| SHA512 | f392c4f3a9ae9040d4a92ac84281e6ee3c1b4d38087dfeaff945e251b8e78d53a852e1e757f06b158c894a9406cc0d208271f6bb212f5e3d087ca463848afaa7 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\content.js
| MD5 | 7704e1ce318308964e7bf65def5fe280 |
| SHA1 | eb0ec96f5e095ef73f18d056e48801ec4026d65c |
| SHA256 | 6d9673b2ca073f11026954e95f069fbb37bea3019042c5ca2e1c3678755428b9 |
| SHA512 | 4d9bea9df9bf7d0e29277121430145afebbfa1840f2f5ce03ed940dde3f7bceebc76799aab60ee4d0d4e60a190c8f65b5515d40f95e15c4115f77438c629d7d8 |
C:\Users\Admin\AppData\Local\Temp\7zS3A3A.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |