Analysis Overview
SHA256
e31f2d521f8db31593b2e172b8114d652431dbd805c4858be48a2fb1c3eff190
Threat Level: Shows suspicious behavior
The file 01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious use of WriteProcessMemory
System policy modification
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 10:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 10:46
Reported
2024-06-22 10:49
Platform
win7-20240508-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave Class" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\settings.ini
| MD5 | 6e3aece8fb3ed2df1ef1b1360c381e19 |
| SHA1 | ad6d1f166d43930300594a82970a38417fe0acb2 |
| SHA256 | 13197cf89ba7c46e2006ce80b95049a8f7c794f2731de36d1987951e0df35e7a |
| SHA512 | 6c711f61e467281c6c1d2819d537f266c00e5fe6e40477c798871fed129d19a3b2ef504b94169041f9125d8233e70f4cbb9e001866a2d4f9eaf3ee392c02e7b3 |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\bootstrap.js
| MD5 | e16c50c73ad0c26bbd7593f325288ea8 |
| SHA1 | 283626b095dbfd2fa285cc8ddcc104ce994a5a62 |
| SHA256 | bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62 |
| SHA512 | ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\install.rdf
| MD5 | 5aae6a5ccf1421490e86d57cec8b8480 |
| SHA1 | 219cdeb2710d40e24d44d9e0ebbad57574f4401d |
| SHA256 | 7fe22e7e174061fd413b0b6c0782c95e06bb3c4b70985eb76e5b94a1f1059ee0 |
| SHA512 | 6057e3afed9379976a25857c3278185123e4c63c963fa4ff125b7d31386de4bdc6ce8fa07757188f749fe90b5076adc1c90efdbc4d66ee323bad9e23bd132319 |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\chrome.manifest
| MD5 | f11a54ce9cdf419a8f49dbee1635c3d0 |
| SHA1 | f10a5c0bbcc328dfec94ba5ab787ceeee4de3bb9 |
| SHA256 | 4b97b7f0f18e454d26394d548444e2c174978f4f5b723ec7e6b5c54cc192aca4 |
| SHA512 | c3882476e3a8a46fc4d142bb754f982aa5caf0a02907db73c3968f9d77b8f06513eac4d4a44201e78f32dbe38d79dd8656c02c00f878f45add41f8ab00376a3b |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\content\bg.js
| MD5 | 4c2dcd0f1fb7b3924da4d77a61f874a0 |
| SHA1 | d96359498a58be79387d83a188323aea2eee1600 |
| SHA256 | 3210e648adff8f4c0c76ae3e6fb8568055a02af5269647e82b38e708b653a742 |
| SHA512 | 2c758bd981418c9148d7ef169df20f28bc13b7e49db873226d6a010168a7763115ab420c1ab9fc3f87a9c140fec7f80c590c0756684f5c90d20b4f42ad017616 |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\[email protected]\content\zy.xul
| MD5 | a530be27dedd8e52733460f303b7d7f0 |
| SHA1 | d526023abc5be88728a75c2d41589292cdba45ee |
| SHA256 | 53b11ae5334d137b11a3374ec68820e7b6f18f87a09193bf856d6f8837e7dc6a |
| SHA512 | 171d0eef0175e6446c85f899d88522301411c951e2ada130d394dff0c681b0579f4649ae8782cd153f3e1737417d73131ff4ac51e93a3d2d157488978e067d5f |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\hamncannohokcjblaabkkcjoeifkljcp.crx
| MD5 | db361ffa8d32742fa6dd42a629c26361 |
| SHA1 | 9f0387aae0fd4ecc717ed097a10505f4902ec5f8 |
| SHA256 | d3eb7dedcf5ae5b66cce4e9f1932c985b451019721a2962274c9a159dafd2d42 |
| SHA512 | 640a60e8a25f422a714eabc15b25ec71cd6fb58be2065cd622d70006f35062717518b6eb869d04819bf55afc3d04bb8d93d23db8762851ce154a748856e38478 |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\background.html
| MD5 | ea0e279c1530122d698ae6884b4ba910 |
| SHA1 | 24e53a5bc3839cbf4a50cd1824fbc2bb8f2134f0 |
| SHA256 | a44a4e9d060fee58a32b62e7a15844b22b0c37febd2d88957f3c6ca74a99eccf |
| SHA512 | 907deb47f0634819fe4a4d93dc533c57cebe7390c515c94b152fee0d9d5f019078d1fa8b23a15c201dfa3f55fe9533fd3442f56d0073ed5edb9a4eb97bbd0e4a |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\content.js
| MD5 | 845a451109b51ea8a851c89884a41401 |
| SHA1 | 94268e5f0f405bcd1856073664cb015c6148680a |
| SHA256 | 5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7 |
| SHA512 | 524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d |
C:\Users\Admin\AppData\Local\Temp\7zS1FC0.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\DownloadnSave\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 10:46
Reported
2024-06-22 10:49
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ = "DownloadnSave Class" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FEE57720-D716-0E84-6C04-A4BB0103A02F}" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe |
| PID 1480 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe |
| PID 1480 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FEE57720-D716-0E84-6C04-A4BB0103A02F} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01bbf8556e2cf8d450c793874dd28e14_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe
.\setup.exe /s
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\settings.ini
| MD5 | 6e3aece8fb3ed2df1ef1b1360c381e19 |
| SHA1 | ad6d1f166d43930300594a82970a38417fe0acb2 |
| SHA256 | 13197cf89ba7c46e2006ce80b95049a8f7c794f2731de36d1987951e0df35e7a |
| SHA512 | 6c711f61e467281c6c1d2819d537f266c00e5fe6e40477c798871fed129d19a3b2ef504b94169041f9125d8233e70f4cbb9e001866a2d4f9eaf3ee392c02e7b3 |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\bootstrap.js
| MD5 | e16c50c73ad0c26bbd7593f325288ea8 |
| SHA1 | 283626b095dbfd2fa285cc8ddcc104ce994a5a62 |
| SHA256 | bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62 |
| SHA512 | ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\chrome.manifest
| MD5 | f11a54ce9cdf419a8f49dbee1635c3d0 |
| SHA1 | f10a5c0bbcc328dfec94ba5ab787ceeee4de3bb9 |
| SHA256 | 4b97b7f0f18e454d26394d548444e2c174978f4f5b723ec7e6b5c54cc192aca4 |
| SHA512 | c3882476e3a8a46fc4d142bb754f982aa5caf0a02907db73c3968f9d77b8f06513eac4d4a44201e78f32dbe38d79dd8656c02c00f878f45add41f8ab00376a3b |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\install.rdf
| MD5 | 5aae6a5ccf1421490e86d57cec8b8480 |
| SHA1 | 219cdeb2710d40e24d44d9e0ebbad57574f4401d |
| SHA256 | 7fe22e7e174061fd413b0b6c0782c95e06bb3c4b70985eb76e5b94a1f1059ee0 |
| SHA512 | 6057e3afed9379976a25857c3278185123e4c63c963fa4ff125b7d31386de4bdc6ce8fa07757188f749fe90b5076adc1c90efdbc4d66ee323bad9e23bd132319 |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\content\bg.js
| MD5 | 4c2dcd0f1fb7b3924da4d77a61f874a0 |
| SHA1 | d96359498a58be79387d83a188323aea2eee1600 |
| SHA256 | 3210e648adff8f4c0c76ae3e6fb8568055a02af5269647e82b38e708b653a742 |
| SHA512 | 2c758bd981418c9148d7ef169df20f28bc13b7e49db873226d6a010168a7763115ab420c1ab9fc3f87a9c140fec7f80c590c0756684f5c90d20b4f42ad017616 |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\[email protected]\content\zy.xul
| MD5 | a530be27dedd8e52733460f303b7d7f0 |
| SHA1 | d526023abc5be88728a75c2d41589292cdba45ee |
| SHA256 | 53b11ae5334d137b11a3374ec68820e7b6f18f87a09193bf856d6f8837e7dc6a |
| SHA512 | 171d0eef0175e6446c85f899d88522301411c951e2ada130d394dff0c681b0579f4649ae8782cd153f3e1737417d73131ff4ac51e93a3d2d157488978e067d5f |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\hamncannohokcjblaabkkcjoeifkljcp.crx
| MD5 | db361ffa8d32742fa6dd42a629c26361 |
| SHA1 | 9f0387aae0fd4ecc717ed097a10505f4902ec5f8 |
| SHA256 | d3eb7dedcf5ae5b66cce4e9f1932c985b451019721a2962274c9a159dafd2d42 |
| SHA512 | 640a60e8a25f422a714eabc15b25ec71cd6fb58be2065cd622d70006f35062717518b6eb869d04819bf55afc3d04bb8d93d23db8762851ce154a748856e38478 |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\background.html
| MD5 | ea0e279c1530122d698ae6884b4ba910 |
| SHA1 | 24e53a5bc3839cbf4a50cd1824fbc2bb8f2134f0 |
| SHA256 | a44a4e9d060fee58a32b62e7a15844b22b0c37febd2d88957f3c6ca74a99eccf |
| SHA512 | 907deb47f0634819fe4a4d93dc533c57cebe7390c515c94b152fee0d9d5f019078d1fa8b23a15c201dfa3f55fe9533fd3442f56d0073ed5edb9a4eb97bbd0e4a |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\content.js
| MD5 | 845a451109b51ea8a851c89884a41401 |
| SHA1 | 94268e5f0f405bcd1856073664cb015c6148680a |
| SHA256 | 5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7 |
| SHA512 | 524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d |
C:\Users\Admin\AppData\Local\Temp\7zS10F3.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\DownloadnSave\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |