Analysis Overview
SHA256
8363b65eb9e96f0c7d8ba9c4368132abd17dab5277669a6228133a030b23cab8
Threat Level: Shows suspicious behavior
The file 01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
NSIS installer
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 11:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 11:30
Reported
2024-06-22 11:33
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{00210972-8906-B481-E5E9-EB9CCE474F50}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{00210972-8906-B481-E5E9-EB9CCE474F50}" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\settings.ini
| MD5 | 5d463e47df1b57181c354ed9950a787a |
| SHA1 | 449de178f85da1a3ff1afb41f301b0fb3cf7bd64 |
| SHA256 | 2d6a78c51794bee3267f278169b7f6d5a9a5fca208dca2cb95118305cfa34d18 |
| SHA512 | 68df3a897e2951dd03ef15eabee262d03f4dce289ba9975d034ab9813ab95555da495e9985c34041445557d8b84bb8674c7f06e5b8ec68c36328bb2accda75e1 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\[email protected]\bootstrap.js
| MD5 | 45ef3fd7a0a271a25309e3e53ff89021 |
| SHA1 | 62c9c7630d31acd60f03dd3c0276cc1edf98a8fc |
| SHA256 | ebab0953e71a77d5a6f87f1cdb39a6df3a15d87756514960c71b81c7a6ff19a3 |
| SHA512 | 020c0872ac02db63ec36b2dd992647f9beed33c59679b91228a6b133908444acb04a8d86f2a1622c435235f65e43a61bfb18a4a4e5f0ad53b2b30f02a33771b4 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\[email protected]\chrome.manifest
| MD5 | fc8ac94e665947c4dd5310af8f4e232f |
| SHA1 | f049b34d797ecc6a7daf8f0509a77077c7956926 |
| SHA256 | ab3cff346af18fcee8b7795bba74acf42feed84dfb1cdc3fcd24d8e9b09bf18e |
| SHA512 | 58f8763e3c4128c7d570b5ea0cb0ad45d7fc3886b9ee9784de78848a607b210aa0468b3ab5358edc6ccec9a22802c6280c2d4552bfdaa85acbe23d1894d50df0 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\[email protected]\install.rdf
| MD5 | feaf1ac7850edddda65c757c53887822 |
| SHA1 | 4497916706e7cbe1938218f67c2f977fa2353e50 |
| SHA256 | dfa806f6b86657e0882f5987b2908af738ebd1e54d01ccdf7c7b72149e8c3f86 |
| SHA512 | 7274888432ce0216627ceb10f943f55d884d601ea0c4ab6b024dc410535af9edd1d1a3fe210af919d57a223ca292a8a4de485970b309b3135e7be64a0bcfeb17 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\[email protected]\content\bg.js
| MD5 | aa37c32781474406b1fa06d787e854ee |
| SHA1 | 75868e289abf4ef7d591f5bee687a5392be2b3ff |
| SHA256 | d4da60616666e6090851631eac36b7a4ed7c998026bf4358317eb6c6dd3cd3ae |
| SHA512 | eec222cef22bf82dbfb899ca1e055567ac6be6d82cc04de6b61adc8d52a6c249fcb856979816b1139886f86f54055c76820746f3667a0a0ce5b1424a5dca20c3 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\[email protected]\content\zy.xul
| MD5 | bc39315f2cd2348f70e2d8f7847b3d13 |
| SHA1 | e0a23e2a350cd9e60a8de205781562bfceca3b41 |
| SHA256 | d573fc700db90a30292ba24886b460a0e47ceb1a0ae71d5598d77acd6b0af21b |
| SHA512 | 0ad604e6b01a97fbb19c0f974416495cb2f886da444f97a163331a3dee7ca2e4316ac5222653f6bfb0027b2f4c75acbacb202c9dd85e06d6f0176c6bee3c1429 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\mcmpjhobmiiikeagjabgmbncpgnngcce.crx
| MD5 | 0f0914bfa8c25584088c85c7a7bc6b82 |
| SHA1 | 00e94a1c3449afe16156dbc866dad68659a3f21e |
| SHA256 | 5b69a3a05724a50c92427db173a585cbfd846e14d7d82096c75099da587c10fa |
| SHA512 | eb271249204d70db4404c10f955c43cc99c7e2bb8f7b052a3c13c6bb4e00ce3b92044270c027dff1015ac099b82be2e83e0aa4cdca2807aaae0ab5e4166f5368 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\background.html
| MD5 | e2a53f3c239d5f269764b4ce6bd7ac27 |
| SHA1 | af0f488494b4d5d22134c2b5b5cbf6012a545ee4 |
| SHA256 | 8ab249c3b92e892f44df4800b62c5e666bae32b8a41f1bd4f286f065035e3dd3 |
| SHA512 | 5df50f16c204adf693f1c940fb9a151e985f21134be7cafff8f480d4efc27d62d24e7fe15e88cde357b4b772dc3e21a53b1500fbb2868c35e7ca7f1a6c02c80f |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\content.js
| MD5 | b0aea84419477a53cd44819bd1673629 |
| SHA1 | 8cfeda42e2e078abd9f2d8b16550738c6426c4ce |
| SHA256 | 6bddd07e79b030ff0a9832604f24d62158f248420606b16517e72cf7bd05acd3 |
| SHA512 | 88d67df212e2b8d8cbc8d3f1c9f75cef6e296117f6bebc21f16f6134f87a2488d58a9e79996b846a8ed34162cffc47292e108a765dfb51fff92c77f479230a61 |
C:\Users\Admin\AppData\Local\Temp\7zS9FF.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 11:30
Reported
2024-06-22 11:33
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00210972-8906-B481-E5E9-EB9CCE474F50}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{00210972-8906-B481-E5E9-EB9CCE474F50}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{00210972-8906-B481-E5E9-EB9CCE474F50}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3264 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe |
| PID 3264 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe |
| PID 3264 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{00210972-8906-B481-E5E9-EB9CCE474F50} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01ed6ff335e351f7bda95e7726a52c1a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe
.\setup.exe /s
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\settings.ini
| MD5 | 5d463e47df1b57181c354ed9950a787a |
| SHA1 | 449de178f85da1a3ff1afb41f301b0fb3cf7bd64 |
| SHA256 | 2d6a78c51794bee3267f278169b7f6d5a9a5fca208dca2cb95118305cfa34d18 |
| SHA512 | 68df3a897e2951dd03ef15eabee262d03f4dce289ba9975d034ab9813ab95555da495e9985c34041445557d8b84bb8674c7f06e5b8ec68c36328bb2accda75e1 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\bootstrap.js
| MD5 | 45ef3fd7a0a271a25309e3e53ff89021 |
| SHA1 | 62c9c7630d31acd60f03dd3c0276cc1edf98a8fc |
| SHA256 | ebab0953e71a77d5a6f87f1cdb39a6df3a15d87756514960c71b81c7a6ff19a3 |
| SHA512 | 020c0872ac02db63ec36b2dd992647f9beed33c59679b91228a6b133908444acb04a8d86f2a1622c435235f65e43a61bfb18a4a4e5f0ad53b2b30f02a33771b4 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\chrome.manifest
| MD5 | fc8ac94e665947c4dd5310af8f4e232f |
| SHA1 | f049b34d797ecc6a7daf8f0509a77077c7956926 |
| SHA256 | ab3cff346af18fcee8b7795bba74acf42feed84dfb1cdc3fcd24d8e9b09bf18e |
| SHA512 | 58f8763e3c4128c7d570b5ea0cb0ad45d7fc3886b9ee9784de78848a607b210aa0468b3ab5358edc6ccec9a22802c6280c2d4552bfdaa85acbe23d1894d50df0 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\install.rdf
| MD5 | feaf1ac7850edddda65c757c53887822 |
| SHA1 | 4497916706e7cbe1938218f67c2f977fa2353e50 |
| SHA256 | dfa806f6b86657e0882f5987b2908af738ebd1e54d01ccdf7c7b72149e8c3f86 |
| SHA512 | 7274888432ce0216627ceb10f943f55d884d601ea0c4ab6b024dc410535af9edd1d1a3fe210af919d57a223ca292a8a4de485970b309b3135e7be64a0bcfeb17 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\content\bg.js
| MD5 | aa37c32781474406b1fa06d787e854ee |
| SHA1 | 75868e289abf4ef7d591f5bee687a5392be2b3ff |
| SHA256 | d4da60616666e6090851631eac36b7a4ed7c998026bf4358317eb6c6dd3cd3ae |
| SHA512 | eec222cef22bf82dbfb899ca1e055567ac6be6d82cc04de6b61adc8d52a6c249fcb856979816b1139886f86f54055c76820746f3667a0a0ce5b1424a5dca20c3 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\content\zy.xul
| MD5 | bc39315f2cd2348f70e2d8f7847b3d13 |
| SHA1 | e0a23e2a350cd9e60a8de205781562bfceca3b41 |
| SHA256 | d573fc700db90a30292ba24886b460a0e47ceb1a0ae71d5598d77acd6b0af21b |
| SHA512 | 0ad604e6b01a97fbb19c0f974416495cb2f886da444f97a163331a3dee7ca2e4316ac5222653f6bfb0027b2f4c75acbacb202c9dd85e06d6f0176c6bee3c1429 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\mcmpjhobmiiikeagjabgmbncpgnngcce.crx
| MD5 | 0f0914bfa8c25584088c85c7a7bc6b82 |
| SHA1 | 00e94a1c3449afe16156dbc866dad68659a3f21e |
| SHA256 | 5b69a3a05724a50c92427db173a585cbfd846e14d7d82096c75099da587c10fa |
| SHA512 | eb271249204d70db4404c10f955c43cc99c7e2bb8f7b052a3c13c6bb4e00ce3b92044270c027dff1015ac099b82be2e83e0aa4cdca2807aaae0ab5e4166f5368 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\background.html
| MD5 | e2a53f3c239d5f269764b4ce6bd7ac27 |
| SHA1 | af0f488494b4d5d22134c2b5b5cbf6012a545ee4 |
| SHA256 | 8ab249c3b92e892f44df4800b62c5e666bae32b8a41f1bd4f286f065035e3dd3 |
| SHA512 | 5df50f16c204adf693f1c940fb9a151e985f21134be7cafff8f480d4efc27d62d24e7fe15e88cde357b4b772dc3e21a53b1500fbb2868c35e7ca7f1a6c02c80f |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\content.js
| MD5 | b0aea84419477a53cd44819bd1673629 |
| SHA1 | 8cfeda42e2e078abd9f2d8b16550738c6426c4ce |
| SHA256 | 6bddd07e79b030ff0a9832604f24d62158f248420606b16517e72cf7bd05acd3 |
| SHA512 | 88d67df212e2b8d8cbc8d3f1c9f75cef6e296117f6bebc21f16f6134f87a2488d58a9e79996b846a8ed34162cffc47292e108a765dfb51fff92c77f479230a61 |
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |