Analysis Overview
SHA256
0ce879031b2a31168acaf5d0994fcc1c83e53b2af70e21e5d00298f5de1a8beb
Threat Level: Shows suspicious behavior
The file 02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
NSIS installer
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 12:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 12:48
Reported
2024-06-22 12:51
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\settings.ini
| MD5 | adb3f14b89cf23fcb80ddcb3f65f88d3 |
| SHA1 | 677c54823bc8f2e91f4470f9c20e23e34e02e0f6 |
| SHA256 | d3ed8c0d638fde5fcae7171c9ec768accd636d8b8853db5ad751cd059df24cc8 |
| SHA512 | 3a1ea028acc61477b81c2db3788fc7583aa5c23bb0f21549769484a6bd52916cf3f075332f00010f46ccc0c9fe432de4b7aa8ca9fe22296225ddcd529233d7ea |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\chrome.manifest
| MD5 | 44074ed0cf78932fdc674867cfe1314a |
| SHA1 | 6ec9857924b82227a64b6934c7798098cddd0e2b |
| SHA256 | de47b694c9b94d945f18ac04a85269100203bb52144b79e213f61798ed583911 |
| SHA512 | 1ccb18bb816897000d7d9561efabea6e8f0ab91cfc3a78e7f67a9d4e651008d21e5fcea17ba2c57e478e39b6e5cfc101851e2ace92e9d82c21443b04de86747e |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\install.rdf
| MD5 | 138fc75ea0e455a1b49a67f5dc69cd5f |
| SHA1 | 49415c85830ea7a6c72ecd7e1db182b8510d5fb2 |
| SHA256 | e108624a8fd3e580da0172eb1c3b4a858fcc842eb672c18129835783de5cce90 |
| SHA512 | 85cf99646b241df94fc5eabfba794b0e23308f148aefaf4c6ec66b615ed73a4970f66cd10a9b49b8a5d8b51f9a5a4f826110b86ab3e57668769595160bb2e470 |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\indexeddb.js
| MD5 | 041d5a4c75079646210f6c8938952559 |
| SHA1 | d8b22b144ebdf398b25b09e8ce3a39bc6e3e9fb0 |
| SHA256 | 3edf03344a37506739082b302b30f1403150b69d50ba6a1bf866e672bc97d656 |
| SHA512 | 36fdbf01b9791585b98ba88b2bb5ca4cfe393d4e9345f4c56fef9428a2a139c92746724665ed496acc62894e15db2267062e6c4428bc34401dd05663b48cf113 |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\jsext.js
| MD5 | ee22556b46701f7d0e010b610eda28a7 |
| SHA1 | fd40a0b7c5aa4405353a0e8af8e854d1fc52146d |
| SHA256 | 81a818fee692ce8a8f9da3791de519f4771cd97db45ea1f74672425e82680d89 |
| SHA512 | 34a8705ce8e3c87b83e5c404bd54cd600e54ba3df1f7617557cdf2f9bf63428cbdffb6e435648e9e920bdc26200b952b73580283c5188b8a2307e6dde852ca1c |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\lsdb.js
| MD5 | e213d08df4ed01b9b9fec0bba6de98bd |
| SHA1 | 2e15a5c012e57172bfe28f86e99e53af42a1df7e |
| SHA256 | e635e9694bf6605d88fdb50191c1d1b9991c0597f079cebc3b5d71c7ac712e9f |
| SHA512 | 06bcb850997e65be55210181795316b31c61b3c99565794c68d823093aff4e6b3b20da84ae557fcd121c9ba5a2cd433ed161c00614594c02a825430bd0d0f0f8 |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\prfdb.js
| MD5 | 49a2b9dba3a6b008ec0fccdd44ec3aa4 |
| SHA1 | 4ed5a0fa7226531a3c2560fd2a13b45812b371a4 |
| SHA256 | ffc1029d09018b7a011965ef1a956d93f8b3e8a2045f15e2b59de8625884c2bf |
| SHA512 | f2d0ddfac872b9ee828fcfff1f2e08f33d45a7a0b97b9ea0b1edeee9e3660f895527613b64cdc41c9876e9005a8788b140499e9aa808336ab8cccae02c2ca93c |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\sqlite.js
| MD5 | 77215a36dfb962f0c948f7394eaeada3 |
| SHA1 | 612721d569da4012cebcb24db3b2a5fad1f28de5 |
| SHA256 | e807eae5da5097abf5b6a143c93e9f88d17dedd504809baf38cd6a83b0e1e304 |
| SHA512 | 62fe20a85b2215115947e85e8e95177170f5a316dfec4b593f04ecdba00cffccf4c2fd595cd4e50eec36db24a5356fbb7e8254dbe9718d103c721ab92e63068d |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\wx.xul
| MD5 | cf63313887bf2a6ba3d515d4b5770ccb |
| SHA1 | 87feb69adfd194a6d54997e883c1fad06550a1b1 |
| SHA256 | 7c1555b1fa1985dae1a2c255909db0ab656b297d71a62bb3013b7d195c96ca0b |
| SHA512 | dba3e8b80041a942fb7e11aaab1b8183eea9981a448f80fdde8b1f27c41a20f2a8d801f2c80ebc99fa0950c26a48553ab90234a5d195f4d0c0540c3e420905b3 |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\mhokfpodlphpfflnebofbgcoohgdheog.crx
| MD5 | fac78659f8338442899bede62ef75e56 |
| SHA1 | 6dda2e53588be1c2974382635cf45fcdd374a29b |
| SHA256 | fd56b7fd4c90cce209da855127d1b547642771e928b7b147273ac0ef4c5c7873 |
| SHA512 | 92b7882c04e2103bf44205a659bededecabba575b65d82278552da218d4d5014c762958764b96f51cd4b289232133b01a09166fbcbe9643d6443d52fe034284d |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\background.html
| MD5 | 59d44d8ff64d3122bba7e125374c2773 |
| SHA1 | b3606b42139b83445a0c2d71b984a998dfaef2e7 |
| SHA256 | 5aea39aaa54beed9c2ba0b7be83e13f3dd18e420e1d46feb6a822a0a4b350b55 |
| SHA512 | cdaa420e03528b113e6948a40355609ddbda4b7fa4fc05a8d14b75441ee0277e1416774f8c2f2bdcd687f4ac2bbde81c7b508949527ff032403956970d497545 |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\content.js
| MD5 | ba5b6993530b6066c14d7d2327960b67 |
| SHA1 | cfcf80e24500180d7595f394d987a1ce253a3d29 |
| SHA256 | 0ae5db773548890af4344ac3252c801f79897b25411f5b3ec768eaaf0448adb8 |
| SHA512 | ae51810defe182197ea44be10b2c872a174f705c3805fa1e00ca0b74c95cf0d846ae3932818a7593997c835fe3cdb2fdd8890ee7e7b802ae015a5e3ea619c6df |
C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 12:48
Reported
2024-06-22 12:51
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe |
| PID 3608 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe |
| PID 3608 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\settings.ini
| MD5 | adb3f14b89cf23fcb80ddcb3f65f88d3 |
| SHA1 | 677c54823bc8f2e91f4470f9c20e23e34e02e0f6 |
| SHA256 | d3ed8c0d638fde5fcae7171c9ec768accd636d8b8853db5ad751cd059df24cc8 |
| SHA512 | 3a1ea028acc61477b81c2db3788fc7583aa5c23bb0f21549769484a6bd52916cf3f075332f00010f46ccc0c9fe432de4b7aa8ca9fe22296225ddcd529233d7ea |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\chrome.manifest
| MD5 | 44074ed0cf78932fdc674867cfe1314a |
| SHA1 | 6ec9857924b82227a64b6934c7798098cddd0e2b |
| SHA256 | de47b694c9b94d945f18ac04a85269100203bb52144b79e213f61798ed583911 |
| SHA512 | 1ccb18bb816897000d7d9561efabea6e8f0ab91cfc3a78e7f67a9d4e651008d21e5fcea17ba2c57e478e39b6e5cfc101851e2ace92e9d82c21443b04de86747e |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\install.rdf
| MD5 | 138fc75ea0e455a1b49a67f5dc69cd5f |
| SHA1 | 49415c85830ea7a6c72ecd7e1db182b8510d5fb2 |
| SHA256 | e108624a8fd3e580da0172eb1c3b4a858fcc842eb672c18129835783de5cce90 |
| SHA512 | 85cf99646b241df94fc5eabfba794b0e23308f148aefaf4c6ec66b615ed73a4970f66cd10a9b49b8a5d8b51f9a5a4f826110b86ab3e57668769595160bb2e470 |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\indexeddb.js
| MD5 | 041d5a4c75079646210f6c8938952559 |
| SHA1 | d8b22b144ebdf398b25b09e8ce3a39bc6e3e9fb0 |
| SHA256 | 3edf03344a37506739082b302b30f1403150b69d50ba6a1bf866e672bc97d656 |
| SHA512 | 36fdbf01b9791585b98ba88b2bb5ca4cfe393d4e9345f4c56fef9428a2a139c92746724665ed496acc62894e15db2267062e6c4428bc34401dd05663b48cf113 |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\jsext.js
| MD5 | ee22556b46701f7d0e010b610eda28a7 |
| SHA1 | fd40a0b7c5aa4405353a0e8af8e854d1fc52146d |
| SHA256 | 81a818fee692ce8a8f9da3791de519f4771cd97db45ea1f74672425e82680d89 |
| SHA512 | 34a8705ce8e3c87b83e5c404bd54cd600e54ba3df1f7617557cdf2f9bf63428cbdffb6e435648e9e920bdc26200b952b73580283c5188b8a2307e6dde852ca1c |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\prfdb.js
| MD5 | 49a2b9dba3a6b008ec0fccdd44ec3aa4 |
| SHA1 | 4ed5a0fa7226531a3c2560fd2a13b45812b371a4 |
| SHA256 | ffc1029d09018b7a011965ef1a956d93f8b3e8a2045f15e2b59de8625884c2bf |
| SHA512 | f2d0ddfac872b9ee828fcfff1f2e08f33d45a7a0b97b9ea0b1edeee9e3660f895527613b64cdc41c9876e9005a8788b140499e9aa808336ab8cccae02c2ca93c |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\lsdb.js
| MD5 | e213d08df4ed01b9b9fec0bba6de98bd |
| SHA1 | 2e15a5c012e57172bfe28f86e99e53af42a1df7e |
| SHA256 | e635e9694bf6605d88fdb50191c1d1b9991c0597f079cebc3b5d71c7ac712e9f |
| SHA512 | 06bcb850997e65be55210181795316b31c61b3c99565794c68d823093aff4e6b3b20da84ae557fcd121c9ba5a2cd433ed161c00614594c02a825430bd0d0f0f8 |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\sqlite.js
| MD5 | 77215a36dfb962f0c948f7394eaeada3 |
| SHA1 | 612721d569da4012cebcb24db3b2a5fad1f28de5 |
| SHA256 | e807eae5da5097abf5b6a143c93e9f88d17dedd504809baf38cd6a83b0e1e304 |
| SHA512 | 62fe20a85b2215115947e85e8e95177170f5a316dfec4b593f04ecdba00cffccf4c2fd595cd4e50eec36db24a5356fbb7e8254dbe9718d103c721ab92e63068d |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\wx.xul
| MD5 | cf63313887bf2a6ba3d515d4b5770ccb |
| SHA1 | 87feb69adfd194a6d54997e883c1fad06550a1b1 |
| SHA256 | 7c1555b1fa1985dae1a2c255909db0ab656b297d71a62bb3013b7d195c96ca0b |
| SHA512 | dba3e8b80041a942fb7e11aaab1b8183eea9981a448f80fdde8b1f27c41a20f2a8d801f2c80ebc99fa0950c26a48553ab90234a5d195f4d0c0540c3e420905b3 |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\mhokfpodlphpfflnebofbgcoohgdheog.crx
| MD5 | fac78659f8338442899bede62ef75e56 |
| SHA1 | 6dda2e53588be1c2974382635cf45fcdd374a29b |
| SHA256 | fd56b7fd4c90cce209da855127d1b547642771e928b7b147273ac0ef4c5c7873 |
| SHA512 | 92b7882c04e2103bf44205a659bededecabba575b65d82278552da218d4d5014c762958764b96f51cd4b289232133b01a09166fbcbe9643d6443d52fe034284d |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\background.html
| MD5 | 59d44d8ff64d3122bba7e125374c2773 |
| SHA1 | b3606b42139b83445a0c2d71b984a998dfaef2e7 |
| SHA256 | 5aea39aaa54beed9c2ba0b7be83e13f3dd18e420e1d46feb6a822a0a4b350b55 |
| SHA512 | cdaa420e03528b113e6948a40355609ddbda4b7fa4fc05a8d14b75441ee0277e1416774f8c2f2bdcd687f4ac2bbde81c7b508949527ff032403956970d497545 |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\content.js
| MD5 | ba5b6993530b6066c14d7d2327960b67 |
| SHA1 | cfcf80e24500180d7595f394d987a1ce253a3d29 |
| SHA256 | 0ae5db773548890af4344ac3252c801f79897b25411f5b3ec768eaaf0448adb8 |
| SHA512 | ae51810defe182197ea44be10b2c872a174f705c3805fa1e00ca0b74c95cf0d846ae3932818a7593997c835fe3cdb2fdd8890ee7e7b802ae015a5e3ea619c6df |
C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |