Analysis Overview
SHA256
48034a15314bf420b95509967546fd6e4359354d158b42311503d249e7f909ce
Threat Level: Shows suspicious behavior
The file 01817d434f8e1e783abb20e4af3356fe_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 05:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 05:31
Reported
2024-06-22 05:34
Platform
win7-20240611-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ProgID\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\VersionIndependentProgID\ = "bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\setup.exe
| MD5 | 4ccf1a317aa8539c857835e4ebe9c806 |
| SHA1 | 223b73d09d7398f40aff3ccc569e66cae3886ee9 |
| SHA256 | 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242 |
| SHA512 | ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312 |
\Users\Admin\AppData\Local\Temp\nsd9FE8.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\settings.ini
| MD5 | 74355684e4ceaf4db05039778acb0517 |
| SHA1 | b142a7c0eec0fea5d4d1209a561154d3d2185402 |
| SHA256 | 4a28613e3e46fc1f25d4bd5b800482dd307f9d975ae1eb20a2fbc3e8e66d6140 |
| SHA512 | 0010ffd3b1a525e620a1ccdd10d40a56c88a0924028cb6ec45c24fe1e99ebd3507ebab03ce5fa06893cab2387bff3af488590d42aa915282a106970de8678ef5 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\[email protected]\bootstrap.js
| MD5 | f0ded83c97e0190109bc35e59c3a86a3 |
| SHA1 | 8ba0d099b3ae07ed479f45000f422f78a579254f |
| SHA256 | 9301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484 |
| SHA512 | 6a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\[email protected]\chrome.manifest
| MD5 | b98ae8a75009b854f55ef682cb0e2ba1 |
| SHA1 | 1594ec59eca25e3c04d2251f20d9b45c54d18997 |
| SHA256 | f9f9583b1d173f5dac1b6597672405c4d0d9de5df7e05908167493b04f13c36d |
| SHA512 | d063401b7b06fdbbe5823338e1c0659c151c3a472b318eeb33b9822314e1afdb9d27c71a111ccf006033385e77eef93c952977eaaac17651ced243ea315101e7 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\[email protected]\install.rdf
| MD5 | 45197aeca36bc6e12797a92a60603fe7 |
| SHA1 | 94fc8d7085f39e8fdef979cf0bf954844f2b9367 |
| SHA256 | a8e551e079d8f0e2659911e28a03a21b88be25e484940bc200cfdc58945730dc |
| SHA512 | f5b332b5a50eee4f4474d2eade31cacc3714d7a59522ddce19309e9c2ebfc1a2a27bda52c5ef452207ef73d36706464aeb154ef636ca0e3ec7de3e6a252ebc79 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\[email protected]\content\bg.js
| MD5 | 048c5bc01adbca941e7930529e1b0b6c |
| SHA1 | 7c21e484b72c5f4f1655a1441497a17fbd94c0e0 |
| SHA256 | 7b6c2ea19bae4867a8e9b5d3634d528a3e482aa8ccf2a4d1668bf77f0bb82f4b |
| SHA512 | b7286a73676b32067ce9e62b7e107dd1a7d6a80658e56a6bdb529195e449f2b94633c090dca42f76d0042039598d3117be73ba11e66cab17bc1d89907694e798 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\[email protected]\content\zy.xul
| MD5 | 8a4725679990933c263ac4502398c003 |
| SHA1 | 58c37907d57bed05d0ea1a43f855d989b98e2ed8 |
| SHA256 | e6b6c7d7fb4c63f30e1756e481c8e8b8d2ccc64a6363e4bd4d48fcd584278fa3 |
| SHA512 | db16254a4cae92717b56d6bd8336d869261d3696c88ca2870dc811b3b5afa7a20f1869f91d239da6489a30d73758f9b2964a5338d9d9754b1ac7ee957308560a |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\loeonbgkblbgcncgmpljmokoeekfjgji.crx
| MD5 | 61f449000067a37b23f85c92dd6b398d |
| SHA1 | f12e62d0c59901b5a99ba3c25d664e95d4495e23 |
| SHA256 | a8c1a78aeddc8c06b4afce207fa998708e2675daadd501ec1da7c86fa882938b |
| SHA512 | 6a87e9824a29d0aacee617ebec223a4423b65f637dc9bf752ccb49e0cc2657a2f2aebda6aec5edc6b9fe24f7aceaab4086346cd2cd9a43020e9835603b71e012 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\background.html
| MD5 | ccb85768293ee94450d0390ec00a7237 |
| SHA1 | 9f4160b6b62a511a50e37a920b8dd968162b8e80 |
| SHA256 | 0d650f670719c677af59aa572ad945e22479a06790ae9ebe070c4055d12d24b7 |
| SHA512 | 834e98f21437c82ee8f986b2e57221190befd305a52f0550381fe9cf13c87d2160f85f39a02ad1fe683fcf455e1cfc0367e680cc0c4ce23fd320ad16f67b9943 |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\content.js
| MD5 | 230873b3e26beeabab1ad7b1b05a5332 |
| SHA1 | 25b4fa02de74dc12e3ce01e7e2691911af0e157a |
| SHA256 | 47461770edd7107133ee92b610297bc66a8314d8fb909853ee3ae3d389fbd011 |
| SHA512 | dae3ad9433caf8185a0514a8b186a6c37a0ee79cf2f2b3e573dcfe8ea028eb324182883ca1670c51ad4cc1cf576abd983809f61adf7ace4caba4b87ca344ddae |
C:\Users\Admin\AppData\Local\Temp\7zS9DC5.tmp\bhoclass.dll
| MD5 | 474a025909c75c607905b9e2cae8a56f |
| SHA1 | 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e |
| SHA256 | 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f |
| SHA512 | 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | a724dac649142fef71fe4b529684e969 |
| SHA1 | e2878e84886ec53a1332ad969a825062526b5cd4 |
| SHA256 | b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc |
| SHA512 | 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 05:31
Reported
2024-06-22 05:34
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ProgID\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF}\VersionIndependentProgID\ = "bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4960 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe |
| PID 4960 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe |
| PID 4960 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9E0DC8C6-1FE0-0F1E-C5BE-C6DC57FBADEF} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01817d434f8e1e783abb20e4af3356fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\setup.exe
| MD5 | 4ccf1a317aa8539c857835e4ebe9c806 |
| SHA1 | 223b73d09d7398f40aff3ccc569e66cae3886ee9 |
| SHA256 | 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242 |
| SHA512 | ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312 |
C:\Users\Admin\AppData\Local\Temp\nsc322D.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\settings.ini
| MD5 | 74355684e4ceaf4db05039778acb0517 |
| SHA1 | b142a7c0eec0fea5d4d1209a561154d3d2185402 |
| SHA256 | 4a28613e3e46fc1f25d4bd5b800482dd307f9d975ae1eb20a2fbc3e8e66d6140 |
| SHA512 | 0010ffd3b1a525e620a1ccdd10d40a56c88a0924028cb6ec45c24fe1e99ebd3507ebab03ce5fa06893cab2387bff3af488590d42aa915282a106970de8678ef5 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\[email protected]\bootstrap.js
| MD5 | f0ded83c97e0190109bc35e59c3a86a3 |
| SHA1 | 8ba0d099b3ae07ed479f45000f422f78a579254f |
| SHA256 | 9301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484 |
| SHA512 | 6a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\[email protected]\chrome.manifest
| MD5 | b98ae8a75009b854f55ef682cb0e2ba1 |
| SHA1 | 1594ec59eca25e3c04d2251f20d9b45c54d18997 |
| SHA256 | f9f9583b1d173f5dac1b6597672405c4d0d9de5df7e05908167493b04f13c36d |
| SHA512 | d063401b7b06fdbbe5823338e1c0659c151c3a472b318eeb33b9822314e1afdb9d27c71a111ccf006033385e77eef93c952977eaaac17651ced243ea315101e7 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\[email protected]\install.rdf
| MD5 | 45197aeca36bc6e12797a92a60603fe7 |
| SHA1 | 94fc8d7085f39e8fdef979cf0bf954844f2b9367 |
| SHA256 | a8e551e079d8f0e2659911e28a03a21b88be25e484940bc200cfdc58945730dc |
| SHA512 | f5b332b5a50eee4f4474d2eade31cacc3714d7a59522ddce19309e9c2ebfc1a2a27bda52c5ef452207ef73d36706464aeb154ef636ca0e3ec7de3e6a252ebc79 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\[email protected]\content\bg.js
| MD5 | 048c5bc01adbca941e7930529e1b0b6c |
| SHA1 | 7c21e484b72c5f4f1655a1441497a17fbd94c0e0 |
| SHA256 | 7b6c2ea19bae4867a8e9b5d3634d528a3e482aa8ccf2a4d1668bf77f0bb82f4b |
| SHA512 | b7286a73676b32067ce9e62b7e107dd1a7d6a80658e56a6bdb529195e449f2b94633c090dca42f76d0042039598d3117be73ba11e66cab17bc1d89907694e798 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\[email protected]\content\zy.xul
| MD5 | 8a4725679990933c263ac4502398c003 |
| SHA1 | 58c37907d57bed05d0ea1a43f855d989b98e2ed8 |
| SHA256 | e6b6c7d7fb4c63f30e1756e481c8e8b8d2ccc64a6363e4bd4d48fcd584278fa3 |
| SHA512 | db16254a4cae92717b56d6bd8336d869261d3696c88ca2870dc811b3b5afa7a20f1869f91d239da6489a30d73758f9b2964a5338d9d9754b1ac7ee957308560a |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\loeonbgkblbgcncgmpljmokoeekfjgji.crx
| MD5 | 61f449000067a37b23f85c92dd6b398d |
| SHA1 | f12e62d0c59901b5a99ba3c25d664e95d4495e23 |
| SHA256 | a8c1a78aeddc8c06b4afce207fa998708e2675daadd501ec1da7c86fa882938b |
| SHA512 | 6a87e9824a29d0aacee617ebec223a4423b65f637dc9bf752ccb49e0cc2657a2f2aebda6aec5edc6b9fe24f7aceaab4086346cd2cd9a43020e9835603b71e012 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\background.html
| MD5 | ccb85768293ee94450d0390ec00a7237 |
| SHA1 | 9f4160b6b62a511a50e37a920b8dd968162b8e80 |
| SHA256 | 0d650f670719c677af59aa572ad945e22479a06790ae9ebe070c4055d12d24b7 |
| SHA512 | 834e98f21437c82ee8f986b2e57221190befd305a52f0550381fe9cf13c87d2160f85f39a02ad1fe683fcf455e1cfc0367e680cc0c4ce23fd320ad16f67b9943 |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\content.js
| MD5 | 230873b3e26beeabab1ad7b1b05a5332 |
| SHA1 | 25b4fa02de74dc12e3ce01e7e2691911af0e157a |
| SHA256 | 47461770edd7107133ee92b610297bc66a8314d8fb909853ee3ae3d389fbd011 |
| SHA512 | dae3ad9433caf8185a0514a8b186a6c37a0ee79cf2f2b3e573dcfe8ea028eb324182883ca1670c51ad4cc1cf576abd983809f61adf7ace4caba4b87ca344ddae |
C:\Users\Admin\AppData\Local\Temp\7zS3180.tmp\bhoclass.dll
| MD5 | 474a025909c75c607905b9e2cae8a56f |
| SHA1 | 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e |
| SHA256 | 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f |
| SHA512 | 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | a724dac649142fef71fe4b529684e969 |
| SHA1 | e2878e84886ec53a1332ad969a825062526b5cd4 |
| SHA256 | b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc |
| SHA512 | 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3 |