Malware Analysis Report

2025-01-18 21:54

Sample ID 240622-mt6ttaydrp
Target 01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118
SHA256 e31f2d521f8db31593b2e172b8114d652431dbd805c4858be48a2fb1c3eff190
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e31f2d521f8db31593b2e172b8114d652431dbd805c4858be48a2fb1c3eff190

Threat Level: Shows suspicious behavior

The file 01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:46

Reported

2024-06-22 10:49

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave Class" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} = "1" C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe

MD5 16ef6e914973925977cdc5ef6b8b2565
SHA1 4815da2815975b33f5dc94d482e6dbc02588afa6
SHA256 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512 c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\settings.ini

MD5 6e3aece8fb3ed2df1ef1b1360c381e19
SHA1 ad6d1f166d43930300594a82970a38417fe0acb2
SHA256 13197cf89ba7c46e2006ce80b95049a8f7c794f2731de36d1987951e0df35e7a
SHA512 6c711f61e467281c6c1d2819d537f266c00e5fe6e40477c798871fed129d19a3b2ef504b94169041f9125d8233e70f4cbb9e001866a2d4f9eaf3ee392c02e7b3

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\bootstrap.js

MD5 e16c50c73ad0c26bbd7593f325288ea8
SHA1 283626b095dbfd2fa285cc8ddcc104ce994a5a62
SHA256 bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62
SHA512 ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\install.rdf

MD5 5aae6a5ccf1421490e86d57cec8b8480
SHA1 219cdeb2710d40e24d44d9e0ebbad57574f4401d
SHA256 7fe22e7e174061fd413b0b6c0782c95e06bb3c4b70985eb76e5b94a1f1059ee0
SHA512 6057e3afed9379976a25857c3278185123e4c63c963fa4ff125b7d31386de4bdc6ce8fa07757188f749fe90b5076adc1c90efdbc4d66ee323bad9e23bd132319

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\chrome.manifest

MD5 f11a54ce9cdf419a8f49dbee1635c3d0
SHA1 f10a5c0bbcc328dfec94ba5ab787ceeee4de3bb9
SHA256 4b97b7f0f18e454d26394d548444e2c174978f4f5b723ec7e6b5c54cc192aca4
SHA512 c3882476e3a8a46fc4d142bb754f982aa5caf0a02907db73c3968f9d77b8f06513eac4d4a44201e78f32dbe38d79dd8656c02c00f878f45add41f8ab00376a3b

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\content\bg.js

MD5 4c2dcd0f1fb7b3924da4d77a61f874a0
SHA1 d96359498a58be79387d83a188323aea2eee1600
SHA256 3210e648adff8f4c0c76ae3e6fb8568055a02af5269647e82b38e708b653a742
SHA512 2c758bd981418c9148d7ef169df20f28bc13b7e49db873226d6a010168a7763115ab420c1ab9fc3f87a9c140fec7f80c590c0756684f5c90d20b4f42ad017616

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\content\zy.xul

MD5 a530be27dedd8e52733460f303b7d7f0
SHA1 d526023abc5be88728a75c2d41589292cdba45ee
SHA256 53b11ae5334d137b11a3374ec68820e7b6f18f87a09193bf856d6f8837e7dc6a
SHA512 171d0eef0175e6446c85f899d88522301411c951e2ada130d394dff0c681b0579f4649ae8782cd153f3e1737417d73131ff4ac51e93a3d2d157488978e067d5f

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\hamncannohokcjblaabkkcjoeifkljcp.crx

MD5 db361ffa8d32742fa6dd42a629c26361
SHA1 9f0387aae0fd4ecc717ed097a10505f4902ec5f8
SHA256 d3eb7dedcf5ae5b66cce4e9f1932c985b451019721a2962274c9a159dafd2d42
SHA512 640a60e8a25f422a714eabc15b25ec71cd6fb58be2065cd622d70006f35062717518b6eb869d04819bf55afc3d04bb8d93d23db8762851ce154a748856e38478

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\background.html

MD5 ea0e279c1530122d698ae6884b4ba910
SHA1 24e53a5bc3839cbf4a50cd1824fbc2bb8f2134f0
SHA256 a44a4e9d060fee58a32b62e7a15844b22b0c37febd2d88957f3c6ca74a99eccf
SHA512 907deb47f0634819fe4a4d93dc533c57cebe7390c515c94b152fee0d9d5f019078d1fa8b23a15c201dfa3f55fe9533fd3442f56d0073ed5edb9a4eb97bbd0e4a

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\content.js

MD5 845a451109b51ea8a851c89884a41401
SHA1 94268e5f0f405bcd1856073664cb015c6148680a
SHA256 5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7
SHA512 524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d

C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\bhoclass.dll

MD5 4b35f6c1f932f52fa9901fbc47b432df
SHA1 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA256 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA512 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

C:\ProgramData\DownloadnSave\uninstall.exe

MD5 8be20144dbd200c6de0c9430ed9280cf
SHA1 b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512 fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:46

Reported

2024-06-22 10:49

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave Class" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} = "1" C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe

.\setup.exe /s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe

MD5 16ef6e914973925977cdc5ef6b8b2565
SHA1 4815da2815975b33f5dc94d482e6dbc02588afa6
SHA256 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512 c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\settings.ini

MD5 6e3aece8fb3ed2df1ef1b1360c381e19
SHA1 ad6d1f166d43930300594a82970a38417fe0acb2
SHA256 13197cf89ba7c46e2006ce80b95049a8f7c794f2731de36d1987951e0df35e7a
SHA512 6c711f61e467281c6c1d2819d537f266c00e5fe6e40477c798871fed129d19a3b2ef504b94169041f9125d8233e70f4cbb9e001866a2d4f9eaf3ee392c02e7b3

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\bootstrap.js

MD5 e16c50c73ad0c26bbd7593f325288ea8
SHA1 283626b095dbfd2fa285cc8ddcc104ce994a5a62
SHA256 bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62
SHA512 ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\chrome.manifest

MD5 f11a54ce9cdf419a8f49dbee1635c3d0
SHA1 f10a5c0bbcc328dfec94ba5ab787ceeee4de3bb9
SHA256 4b97b7f0f18e454d26394d548444e2c174978f4f5b723ec7e6b5c54cc192aca4
SHA512 c3882476e3a8a46fc4d142bb754f982aa5caf0a02907db73c3968f9d77b8f06513eac4d4a44201e78f32dbe38d79dd8656c02c00f878f45add41f8ab00376a3b

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\install.rdf

MD5 5aae6a5ccf1421490e86d57cec8b8480
SHA1 219cdeb2710d40e24d44d9e0ebbad57574f4401d
SHA256 7fe22e7e174061fd413b0b6c0782c95e06bb3c4b70985eb76e5b94a1f1059ee0
SHA512 6057e3afed9379976a25857c3278185123e4c63c963fa4ff125b7d31386de4bdc6ce8fa07757188f749fe90b5076adc1c90efdbc4d66ee323bad9e23bd132319

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\content\bg.js

MD5 4c2dcd0f1fb7b3924da4d77a61f874a0
SHA1 d96359498a58be79387d83a188323aea2eee1600
SHA256 3210e648adff8f4c0c76ae3e6fb8568055a02af5269647e82b38e708b653a742
SHA512 2c758bd981418c9148d7ef169df20f28bc13b7e49db873226d6a010168a7763115ab420c1ab9fc3f87a9c140fec7f80c590c0756684f5c90d20b4f42ad017616

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\content\zy.xul

MD5 a530be27dedd8e52733460f303b7d7f0
SHA1 d526023abc5be88728a75c2d41589292cdba45ee
SHA256 53b11ae5334d137b11a3374ec68820e7b6f18f87a09193bf856d6f8837e7dc6a
SHA512 171d0eef0175e6446c85f899d88522301411c951e2ada130d394dff0c681b0579f4649ae8782cd153f3e1737417d73131ff4ac51e93a3d2d157488978e067d5f

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\hamncannohokcjblaabkkcjoeifkljcp.crx

MD5 db361ffa8d32742fa6dd42a629c26361
SHA1 9f0387aae0fd4ecc717ed097a10505f4902ec5f8
SHA256 d3eb7dedcf5ae5b66cce4e9f1932c985b451019721a2962274c9a159dafd2d42
SHA512 640a60e8a25f422a714eabc15b25ec71cd6fb58be2065cd622d70006f35062717518b6eb869d04819bf55afc3d04bb8d93d23db8762851ce154a748856e38478

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\background.html

MD5 ea0e279c1530122d698ae6884b4ba910
SHA1 24e53a5bc3839cbf4a50cd1824fbc2bb8f2134f0
SHA256 a44a4e9d060fee58a32b62e7a15844b22b0c37febd2d88957f3c6ca74a99eccf
SHA512 907deb47f0634819fe4a4d93dc533c57cebe7390c515c94b152fee0d9d5f019078d1fa8b23a15c201dfa3f55fe9533fd3442f56d0073ed5edb9a4eb97bbd0e4a

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\content.js

MD5 845a451109b51ea8a851c89884a41401
SHA1 94268e5f0f405bcd1856073664cb015c6148680a
SHA256 5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7
SHA512 524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d

C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\bhoclass.dll

MD5 4b35f6c1f932f52fa9901fbc47b432df
SHA1 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA256 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA512 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

C:\ProgramData\DownloadnSave\uninstall.exe

MD5 8be20144dbd200c6de0c9430ed9280cf
SHA1 b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512 fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e