Malware Analysis Report

2025-01-18 22:03

Sample ID 240622-et34xs1fpn
Target 0135c48527197782379b1883714a4781_JaffaCakes118
SHA256 a6f6584bd921c8b082bbcf270114b8744e018dfa44271dbae1a9bf88299a81a2
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a6f6584bd921c8b082bbcf270114b8744e018dfa44271dbae1a9bf88299a81a2

Threat Level: Shows suspicious behavior

The file 0135c48527197782379b1883714a4781_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:14

Reported

2024-06-22 04:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING Class" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} = "1" C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\settings.ini

MD5 3e68615f51ff2f1fad46dd3e8f213d70
SHA1 4d84e3edceee39d085568bfd6fa52b2afe5a783b
SHA256 5b25affd1552cbf08c2963d7569a57629ec900abe39644f17a885893924e2530
SHA512 e60d0b5d228845d25fb40afdbda3f7df5d89231696de916c9fef770ac1efa650867fd6670a4150385e0502cfd9de047b4a10f6f5db2d7a1ba00711cc78f22018

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\chrome.manifest

MD5 43bc5945ad380b6e101ac5390bf15a6e
SHA1 9f0153aaa5ca56595407887f62d33ed3c77f41b8
SHA256 363caef3f0d4b15dab06dcde0c29c02ac9bc9f0f4dc8c433431f775f13877304
SHA512 b6a4c236bbb393e65851172143569662415a5e18809ddc1da061fcb1f1714b3c6b3fec095cee100fb7a1a39d297703fa1e0e93f48b378430e7fdedfeaadb2525

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\install.rdf

MD5 b9056bcb894671174b4a8e0d0c899084
SHA1 e7299c0437bb78d1a0430e5c1afe5f1ee43cb995
SHA256 5eb3203f84321daeac7a41ee77c1a1584ff29636fbec5af4181ec989fd2d97c0
SHA512 f3a39eff150d4ff9c8e600d9eaf5b264ee59bae98ba8e555ef9217f9f4fc102f6b3e3769be9c8bb1a764ca837b805500e3ab2ce79769f549de52434deaf9789b

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\indexeddb.js

MD5 336184274f05d57426b8583e0ed2fb75
SHA1 3f3f3a561a54e650abfcb7d8f57a859a0681ac96
SHA256 df67bd18adfb5efcb2a47239b7e286505134645a34e4e0ffb967009e95bce28d
SHA512 3360e0834ead589fd477c1fbabfca67bed1a20fe56edca262922f4ddaf8cc5f226387d7b01bb021e7c28b5bb7cbb8c158ceced9f42c15e172c2d3bd6e9c4fc79

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\jsext.js

MD5 586219e06146e5db7df0bce14a2de362
SHA1 0275bdc1fe696c5420b0e262e07241cd7d43f6c1
SHA256 15467a69edc725b052c54276e9a11a4696c7be20577986cff0668ddbedb8b315
SHA512 76d9bc663fe80e4c6235b3d98951bf84c430e6f8d4fc38da1f2d965752ee0c7c49056744a6610d0fe27d6937ce2e609afb4f24ea4c61a7e2f145f222d66d1505

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\lsdb.js

MD5 78249a06c9959e8436a845918dc2597d
SHA1 85a0bf1260091e0946068669d93649e6da8f4934
SHA256 dfc6392b06ea9b65a0f49aebe64bf8b4b4a4f5bb0a724a2563c34e82712f38f8
SHA512 9aa5a3e3e19085da07f1fea55980e02ba0f2dddd3c32827a0831d87c17a1c9cadaf380cfcdf123bee324f32a36d4e24a8ffb25c22869a6749f9c1b7a1b99a6ca

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\prfdb.js

MD5 1c6557ae38f8e7b08e3cda9f2e89ab9b
SHA1 0e8f5a98b7a8a3d1dff9b511763cc6d3f4c18432
SHA256 f5b015d5cba94650aeec0a546443c0be101c7ff3a8727597a1be0991fbc2b9b0
SHA512 9c0bb8197a2bb2773fec1df02bf12d8a225fb402135390fd4aebf16b4be78853ec493574c91c748d18179c89a66ee8e9cf3dca7da208625fe457bf6cf16ac0bc

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\sqlite.js

MD5 12ae5bdfd63ae3b5be8cd5e7e652ede4
SHA1 3723d53586e9dd8b9af6e351c5ebe068a32264e7
SHA256 7f51f12e9ebc536a0d52d077b20c34095b302e931355eb6209edf74ddfe77bc2
SHA512 7b1b4a4ff5a23a1b7ad687f401142d9fa6986538b9723b406452fa7df0cb37472c9db8bf05e2e7f2e9ee94f08f9b8a167cebca517a1796b81a423f45ef828497

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\[email protected]\content\wx.xul

MD5 054e38a6c0ab0e38fc6281c1da74b31a
SHA1 0edbdad65bed2cfba201d3601b8306dd5cfc406f
SHA256 2f9f1d95053c500781d0dd379131d938aca423f416b20bc31a95e70dd62c7d12
SHA512 bb6b3800aef9bfb0741a6c2790eec18cad076c1a915b81147bd26734543438bebc9fbb34218ad7e0c3f515d58aedc2089d151591537be11a3d25e4655a3a5955

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\dlgljkchnfenhlljfgolldnikejccfdm.crx

MD5 e4d51a89e3b3f82286e08bfe03dedf9e
SHA1 75c2d1360fd1c663cd13e09236b00ab8299e54a0
SHA256 303bad3e8cf34db3d84388c0d6aca01346a752af709ded0fcc6a991e77264263
SHA512 c9ae06af97240f50699d11883b4daead3e21240fdd7d763e4d88fcd3d8bdcdec3bdccd95a7d418d3d8587685cdda7fd5c3668a0f225b205e6ecec4601070582c

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\background.html

MD5 9cb38b3284855e7ac7e7dbf782f8b22d
SHA1 d9b56b06f7599dd305ee205284f9bc3e3857ca7e
SHA256 f6357889e60d1c2603623f17b444e7357abdeab269c04a3d61604b31d087b128
SHA512 47d1fdb26fafdd0d25d9f5285361ea19ccd54e1f0b72496bd92369fc41bccf3957d73d78abe5fc797f13e3f6cac6bd18cda954737a1345773781212b9e48dd17

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\content.js

MD5 787030145bc939bb27ebac987da1ffc7
SHA1 158b1408dcd7d9870862f5e0e306c1b042802213
SHA256 c0d9bff43fee3a322c2b2cd0b8355de88a82b900f12e3582471466b43d788618
SHA512 9daec765159abc87e5a2a8f32210a5db8f06806b7acdcf8f02999d809f04f9de446aceb08de1aebab5a981aea4823080d1afd08da336249cb9ab7da5b8d2bd4c

C:\Users\Admin\AppData\Local\Temp\7zS1EA8.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\ADDICT-THING\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:14

Reported

2024-06-22 04:17

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ = "ADDICT-THING Class" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{599CBF53-1CF8-0D50-8972-FEE08A0BB24A} = "1" C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0135c48527197782379b1883714a4781_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\settings.ini

MD5 3e68615f51ff2f1fad46dd3e8f213d70
SHA1 4d84e3edceee39d085568bfd6fa52b2afe5a783b
SHA256 5b25affd1552cbf08c2963d7569a57629ec900abe39644f17a885893924e2530
SHA512 e60d0b5d228845d25fb40afdbda3f7df5d89231696de916c9fef770ac1efa650867fd6670a4150385e0502cfd9de047b4a10f6f5db2d7a1ba00711cc78f22018

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\chrome.manifest

MD5 43bc5945ad380b6e101ac5390bf15a6e
SHA1 9f0153aaa5ca56595407887f62d33ed3c77f41b8
SHA256 363caef3f0d4b15dab06dcde0c29c02ac9bc9f0f4dc8c433431f775f13877304
SHA512 b6a4c236bbb393e65851172143569662415a5e18809ddc1da061fcb1f1714b3c6b3fec095cee100fb7a1a39d297703fa1e0e93f48b378430e7fdedfeaadb2525

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\install.rdf

MD5 b9056bcb894671174b4a8e0d0c899084
SHA1 e7299c0437bb78d1a0430e5c1afe5f1ee43cb995
SHA256 5eb3203f84321daeac7a41ee77c1a1584ff29636fbec5af4181ec989fd2d97c0
SHA512 f3a39eff150d4ff9c8e600d9eaf5b264ee59bae98ba8e555ef9217f9f4fc102f6b3e3769be9c8bb1a764ca837b805500e3ab2ce79769f549de52434deaf9789b

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\indexeddb.js

MD5 336184274f05d57426b8583e0ed2fb75
SHA1 3f3f3a561a54e650abfcb7d8f57a859a0681ac96
SHA256 df67bd18adfb5efcb2a47239b7e286505134645a34e4e0ffb967009e95bce28d
SHA512 3360e0834ead589fd477c1fbabfca67bed1a20fe56edca262922f4ddaf8cc5f226387d7b01bb021e7c28b5bb7cbb8c158ceced9f42c15e172c2d3bd6e9c4fc79

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\jsext.js

MD5 586219e06146e5db7df0bce14a2de362
SHA1 0275bdc1fe696c5420b0e262e07241cd7d43f6c1
SHA256 15467a69edc725b052c54276e9a11a4696c7be20577986cff0668ddbedb8b315
SHA512 76d9bc663fe80e4c6235b3d98951bf84c430e6f8d4fc38da1f2d965752ee0c7c49056744a6610d0fe27d6937ce2e609afb4f24ea4c61a7e2f145f222d66d1505

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\lsdb.js

MD5 78249a06c9959e8436a845918dc2597d
SHA1 85a0bf1260091e0946068669d93649e6da8f4934
SHA256 dfc6392b06ea9b65a0f49aebe64bf8b4b4a4f5bb0a724a2563c34e82712f38f8
SHA512 9aa5a3e3e19085da07f1fea55980e02ba0f2dddd3c32827a0831d87c17a1c9cadaf380cfcdf123bee324f32a36d4e24a8ffb25c22869a6749f9c1b7a1b99a6ca

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\sqlite.js

MD5 12ae5bdfd63ae3b5be8cd5e7e652ede4
SHA1 3723d53586e9dd8b9af6e351c5ebe068a32264e7
SHA256 7f51f12e9ebc536a0d52d077b20c34095b302e931355eb6209edf74ddfe77bc2
SHA512 7b1b4a4ff5a23a1b7ad687f401142d9fa6986538b9723b406452fa7df0cb37472c9db8bf05e2e7f2e9ee94f08f9b8a167cebca517a1796b81a423f45ef828497

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\prfdb.js

MD5 1c6557ae38f8e7b08e3cda9f2e89ab9b
SHA1 0e8f5a98b7a8a3d1dff9b511763cc6d3f4c18432
SHA256 f5b015d5cba94650aeec0a546443c0be101c7ff3a8727597a1be0991fbc2b9b0
SHA512 9c0bb8197a2bb2773fec1df02bf12d8a225fb402135390fd4aebf16b4be78853ec493574c91c748d18179c89a66ee8e9cf3dca7da208625fe457bf6cf16ac0bc

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\[email protected]\content\wx.xul

MD5 054e38a6c0ab0e38fc6281c1da74b31a
SHA1 0edbdad65bed2cfba201d3601b8306dd5cfc406f
SHA256 2f9f1d95053c500781d0dd379131d938aca423f416b20bc31a95e70dd62c7d12
SHA512 bb6b3800aef9bfb0741a6c2790eec18cad076c1a915b81147bd26734543438bebc9fbb34218ad7e0c3f515d58aedc2089d151591537be11a3d25e4655a3a5955

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\dlgljkchnfenhlljfgolldnikejccfdm.crx

MD5 e4d51a89e3b3f82286e08bfe03dedf9e
SHA1 75c2d1360fd1c663cd13e09236b00ab8299e54a0
SHA256 303bad3e8cf34db3d84388c0d6aca01346a752af709ded0fcc6a991e77264263
SHA512 c9ae06af97240f50699d11883b4daead3e21240fdd7d763e4d88fcd3d8bdcdec3bdccd95a7d418d3d8587685cdda7fd5c3668a0f225b205e6ecec4601070582c

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\background.html

MD5 9cb38b3284855e7ac7e7dbf782f8b22d
SHA1 d9b56b06f7599dd305ee205284f9bc3e3857ca7e
SHA256 f6357889e60d1c2603623f17b444e7357abdeab269c04a3d61604b31d087b128
SHA512 47d1fdb26fafdd0d25d9f5285361ea19ccd54e1f0b72496bd92369fc41bccf3957d73d78abe5fc797f13e3f6cac6bd18cda954737a1345773781212b9e48dd17

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\content.js

MD5 787030145bc939bb27ebac987da1ffc7
SHA1 158b1408dcd7d9870862f5e0e306c1b042802213
SHA256 c0d9bff43fee3a322c2b2cd0b8355de88a82b900f12e3582471466b43d788618
SHA512 9daec765159abc87e5a2a8f32210a5db8f06806b7acdcf8f02999d809f04f9de446aceb08de1aebab5a981aea4823080d1afd08da336249cb9ab7da5b8d2bd4c

C:\Users\Admin\AppData\Local\Temp\7zS3856.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\ADDICT-THING\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b