Analysis Overview
SHA256
a6f6584bd921c8b082bbcf270114b8744e018dfa44271dbae1a9bf88299a81a2
Threat Level: Shows suspicious behavior
The file 0135c48527197782379b1883714a4781_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:14
Reported
2024-06-22 04:17
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\settings.ini
| MD5 | 3e68615f51ff2f1fad46dd3e8f213d70 |
| SHA1 | 4d84e3edceee39d085568bfd6fa52b2afe5a783b |
| SHA256 | 5b25affd1552cbf08c2963d7569a57629ec900abe39644f17a885893924e2530 |
| SHA512 | e60d0b5d228845d25fb40afdbda3f7df5d89231696de916c9fef770ac1efa650867fd6670a4150385e0502cfd9de047b4a10f6f5db2d7a1ba00711cc78f22018 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\chrome.manifest
| MD5 | 43bc5945ad380b6e101ac5390bf15a6e |
| SHA1 | 9f0153aaa5ca56595407887f62d33ed3c77f41b8 |
| SHA256 | 363caef3f0d4b15dab06dcde0c29c02ac9bc9f0f4dc8c433431f775f13877304 |
| SHA512 | b6a4c236bbb393e65851172143569662415a5e18809ddc1da061fcb1f1714b3c6b3fec095cee100fb7a1a39d297703fa1e0e93f48b378430e7fdedfeaadb2525 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\install.rdf
| MD5 | b9056bcb894671174b4a8e0d0c899084 |
| SHA1 | e7299c0437bb78d1a0430e5c1afe5f1ee43cb995 |
| SHA256 | 5eb3203f84321daeac7a41ee77c1a1584ff29636fbec5af4181ec989fd2d97c0 |
| SHA512 | f3a39eff150d4ff9c8e600d9eaf5b264ee59bae98ba8e555ef9217f9f4fc102f6b3e3769be9c8bb1a764ca837b805500e3ab2ce79769f549de52434deaf9789b |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\indexeddb.js
| MD5 | 336184274f05d57426b8583e0ed2fb75 |
| SHA1 | 3f3f3a561a54e650abfcb7d8f57a859a0681ac96 |
| SHA256 | df67bd18adfb5efcb2a47239b7e286505134645a34e4e0ffb967009e95bce28d |
| SHA512 | 3360e0834ead589fd477c1fbabfca67bed1a20fe56edca262922f4ddaf8cc5f226387d7b01bb021e7c28b5bb7cbb8c158ceced9f42c15e172c2d3bd6e9c4fc79 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\jsext.js
| MD5 | 586219e06146e5db7df0bce14a2de362 |
| SHA1 | 0275bdc1fe696c5420b0e262e07241cd7d43f6c1 |
| SHA256 | 15467a69edc725b052c54276e9a11a4696c7be20577986cff0668ddbedb8b315 |
| SHA512 | 76d9bc663fe80e4c6235b3d98951bf84c430e6f8d4fc38da1f2d965752ee0c7c49056744a6610d0fe27d6937ce2e609afb4f24ea4c61a7e2f145f222d66d1505 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\lsdb.js
| MD5 | 78249a06c9959e8436a845918dc2597d |
| SHA1 | 85a0bf1260091e0946068669d93649e6da8f4934 |
| SHA256 | dfc6392b06ea9b65a0f49aebe64bf8b4b4a4f5bb0a724a2563c34e82712f38f8 |
| SHA512 | 9aa5a3e3e19085da07f1fea55980e02ba0f2dddd3c32827a0831d87c17a1c9cadaf380cfcdf123bee324f32a36d4e24a8ffb25c22869a6749f9c1b7a1b99a6ca |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\prfdb.js
| MD5 | 1c6557ae38f8e7b08e3cda9f2e89ab9b |
| SHA1 | 0e8f5a98b7a8a3d1dff9b511763cc6d3f4c18432 |
| SHA256 | f5b015d5cba94650aeec0a546443c0be101c7ff3a8727597a1be0991fbc2b9b0 |
| SHA512 | 9c0bb8197a2bb2773fec1df02bf12d8a225fb402135390fd4aebf16b4be78853ec493574c91c748d18179c89a66ee8e9cf3dca7da208625fe457bf6cf16ac0bc |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\sqlite.js
| MD5 | 12ae5bdfd63ae3b5be8cd5e7e652ede4 |
| SHA1 | 3723d53586e9dd8b9af6e351c5ebe068a32264e7 |
| SHA256 | 7f51f12e9ebc536a0d52d077b20c34095b302e931355eb6209edf74ddfe77bc2 |
| SHA512 | 7b1b4a4ff5a23a1b7ad687f401142d9fa6986538b9723b406452fa7df0cb37472c9db8bf05e2e7f2e9ee94f08f9b8a167cebca517a1796b81a423f45ef828497 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\wx.xul
| MD5 | 054e38a6c0ab0e38fc6281c1da74b31a |
| SHA1 | 0edbdad65bed2cfba201d3601b8306dd5cfc406f |
| SHA256 | 2f9f1d95053c500781d0dd379131d938aca423f416b20bc31a95e70dd62c7d12 |
| SHA512 | bb6b3800aef9bfb0741a6c2790eec18cad076c1a915b81147bd26734543438bebc9fbb34218ad7e0c3f515d58aedc2089d151591537be11a3d25e4655a3a5955 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\dlgljkchnfenhlljfgolldnikejccfdm.crx
| MD5 | e4d51a89e3b3f82286e08bfe03dedf9e |
| SHA1 | 75c2d1360fd1c663cd13e09236b00ab8299e54a0 |
| SHA256 | 303bad3e8cf34db3d84388c0d6aca01346a752af709ded0fcc6a991e77264263 |
| SHA512 | c9ae06af97240f50699d11883b4daead3e21240fdd7d763e4d88fcd3d8bdcdec3bdccd95a7d418d3d8587685cdda7fd5c3668a0f225b205e6ecec4601070582c |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\background.html
| MD5 | 9cb38b3284855e7ac7e7dbf782f8b22d |
| SHA1 | d9b56b06f7599dd305ee205284f9bc3e3857ca7e |
| SHA256 | f6357889e60d1c2603623f17b444e7357abdeab269c04a3d61604b31d087b128 |
| SHA512 | 47d1fdb26fafdd0d25d9f5285361ea19ccd54e1f0b72496bd92369fc41bccf3957d73d78abe5fc797f13e3f6cac6bd18cda954737a1345773781212b9e48dd17 |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\content.js
| MD5 | 787030145bc939bb27ebac987da1ffc7 |
| SHA1 | 158b1408dcd7d9870862f5e0e306c1b042802213 |
| SHA256 | c0d9bff43fee3a322c2b2cd0b8355de88a82b900f12e3582471466b43d788618 |
| SHA512 | 9daec765159abc87e5a2a8f32210a5db8f06806b7acdcf8f02999d809f04f9de446aceb08de1aebab5a981aea4823080d1afd08da336249cb9ab7da5b8d2bd4c |
C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:14
Reported
2024-06-22 04:17
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 596 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe |
| PID 596 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe |
| PID 596 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\settings.ini
| MD5 | 3e68615f51ff2f1fad46dd3e8f213d70 |
| SHA1 | 4d84e3edceee39d085568bfd6fa52b2afe5a783b |
| SHA256 | 5b25affd1552cbf08c2963d7569a57629ec900abe39644f17a885893924e2530 |
| SHA512 | e60d0b5d228845d25fb40afdbda3f7df5d89231696de916c9fef770ac1efa650867fd6670a4150385e0502cfd9de047b4a10f6f5db2d7a1ba00711cc78f22018 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\chrome.manifest
| MD5 | 43bc5945ad380b6e101ac5390bf15a6e |
| SHA1 | 9f0153aaa5ca56595407887f62d33ed3c77f41b8 |
| SHA256 | 363caef3f0d4b15dab06dcde0c29c02ac9bc9f0f4dc8c433431f775f13877304 |
| SHA512 | b6a4c236bbb393e65851172143569662415a5e18809ddc1da061fcb1f1714b3c6b3fec095cee100fb7a1a39d297703fa1e0e93f48b378430e7fdedfeaadb2525 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\install.rdf
| MD5 | b9056bcb894671174b4a8e0d0c899084 |
| SHA1 | e7299c0437bb78d1a0430e5c1afe5f1ee43cb995 |
| SHA256 | 5eb3203f84321daeac7a41ee77c1a1584ff29636fbec5af4181ec989fd2d97c0 |
| SHA512 | f3a39eff150d4ff9c8e600d9eaf5b264ee59bae98ba8e555ef9217f9f4fc102f6b3e3769be9c8bb1a764ca837b805500e3ab2ce79769f549de52434deaf9789b |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\indexeddb.js
| MD5 | 336184274f05d57426b8583e0ed2fb75 |
| SHA1 | 3f3f3a561a54e650abfcb7d8f57a859a0681ac96 |
| SHA256 | df67bd18adfb5efcb2a47239b7e286505134645a34e4e0ffb967009e95bce28d |
| SHA512 | 3360e0834ead589fd477c1fbabfca67bed1a20fe56edca262922f4ddaf8cc5f226387d7b01bb021e7c28b5bb7cbb8c158ceced9f42c15e172c2d3bd6e9c4fc79 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\jsext.js
| MD5 | 586219e06146e5db7df0bce14a2de362 |
| SHA1 | 0275bdc1fe696c5420b0e262e07241cd7d43f6c1 |
| SHA256 | 15467a69edc725b052c54276e9a11a4696c7be20577986cff0668ddbedb8b315 |
| SHA512 | 76d9bc663fe80e4c6235b3d98951bf84c430e6f8d4fc38da1f2d965752ee0c7c49056744a6610d0fe27d6937ce2e609afb4f24ea4c61a7e2f145f222d66d1505 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\lsdb.js
| MD5 | 78249a06c9959e8436a845918dc2597d |
| SHA1 | 85a0bf1260091e0946068669d93649e6da8f4934 |
| SHA256 | dfc6392b06ea9b65a0f49aebe64bf8b4b4a4f5bb0a724a2563c34e82712f38f8 |
| SHA512 | 9aa5a3e3e19085da07f1fea55980e02ba0f2dddd3c32827a0831d87c17a1c9cadaf380cfcdf123bee324f32a36d4e24a8ffb25c22869a6749f9c1b7a1b99a6ca |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\sqlite.js
| MD5 | 12ae5bdfd63ae3b5be8cd5e7e652ede4 |
| SHA1 | 3723d53586e9dd8b9af6e351c5ebe068a32264e7 |
| SHA256 | 7f51f12e9ebc536a0d52d077b20c34095b302e931355eb6209edf74ddfe77bc2 |
| SHA512 | 7b1b4a4ff5a23a1b7ad687f401142d9fa6986538b9723b406452fa7df0cb37472c9db8bf05e2e7f2e9ee94f08f9b8a167cebca517a1796b81a423f45ef828497 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\prfdb.js
| MD5 | 1c6557ae38f8e7b08e3cda9f2e89ab9b |
| SHA1 | 0e8f5a98b7a8a3d1dff9b511763cc6d3f4c18432 |
| SHA256 | f5b015d5cba94650aeec0a546443c0be101c7ff3a8727597a1be0991fbc2b9b0 |
| SHA512 | 9c0bb8197a2bb2773fec1df02bf12d8a225fb402135390fd4aebf16b4be78853ec493574c91c748d18179c89a66ee8e9cf3dca7da208625fe457bf6cf16ac0bc |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\wx.xul
| MD5 | 054e38a6c0ab0e38fc6281c1da74b31a |
| SHA1 | 0edbdad65bed2cfba201d3601b8306dd5cfc406f |
| SHA256 | 2f9f1d95053c500781d0dd379131d938aca423f416b20bc31a95e70dd62c7d12 |
| SHA512 | bb6b3800aef9bfb0741a6c2790eec18cad076c1a915b81147bd26734543438bebc9fbb34218ad7e0c3f515d58aedc2089d151591537be11a3d25e4655a3a5955 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\dlgljkchnfenhlljfgolldnikejccfdm.crx
| MD5 | e4d51a89e3b3f82286e08bfe03dedf9e |
| SHA1 | 75c2d1360fd1c663cd13e09236b00ab8299e54a0 |
| SHA256 | 303bad3e8cf34db3d84388c0d6aca01346a752af709ded0fcc6a991e77264263 |
| SHA512 | c9ae06af97240f50699d11883b4daead3e21240fdd7d763e4d88fcd3d8bdcdec3bdccd95a7d418d3d8587685cdda7fd5c3668a0f225b205e6ecec4601070582c |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\background.html
| MD5 | 9cb38b3284855e7ac7e7dbf782f8b22d |
| SHA1 | d9b56b06f7599dd305ee205284f9bc3e3857ca7e |
| SHA256 | f6357889e60d1c2603623f17b444e7357abdeab269c04a3d61604b31d087b128 |
| SHA512 | 47d1fdb26fafdd0d25d9f5285361ea19ccd54e1f0b72496bd92369fc41bccf3957d73d78abe5fc797f13e3f6cac6bd18cda954737a1345773781212b9e48dd17 |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\content.js
| MD5 | 787030145bc939bb27ebac987da1ffc7 |
| SHA1 | 158b1408dcd7d9870862f5e0e306c1b042802213 |
| SHA256 | c0d9bff43fee3a322c2b2cd0b8355de88a82b900f12e3582471466b43d788618 |
| SHA512 | 9daec765159abc87e5a2a8f32210a5db8f06806b7acdcf8f02999d809f04f9de446aceb08de1aebab5a981aea4823080d1afd08da336249cb9ab7da5b8d2bd4c |
C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |