Malware Analysis Report

2025-01-18 22:00

Sample ID 240622-p172kasfqj
Target 02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118
SHA256 0ce879031b2a31168acaf5d0994fcc1c83e53b2af70e21e5d00298f5de1a8beb
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0ce879031b2a31168acaf5d0994fcc1c83e53b2af70e21e5d00298f5de1a8beb

Threat Level: Shows suspicious behavior

The file 02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Unsigned PE

Enumerates physical storage devices

NSIS installer

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 12:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 12:48

Reported

2024-06-22 12:51

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} = "1" C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS1610.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\settings.ini

MD5 adb3f14b89cf23fcb80ddcb3f65f88d3
SHA1 677c54823bc8f2e91f4470f9c20e23e34e02e0f6
SHA256 d3ed8c0d638fde5fcae7171c9ec768accd636d8b8853db5ad751cd059df24cc8
SHA512 3a1ea028acc61477b81c2db3788fc7583aa5c23bb0f21549769484a6bd52916cf3f075332f00010f46ccc0c9fe432de4b7aa8ca9fe22296225ddcd529233d7ea

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\chrome.manifest

MD5 44074ed0cf78932fdc674867cfe1314a
SHA1 6ec9857924b82227a64b6934c7798098cddd0e2b
SHA256 de47b694c9b94d945f18ac04a85269100203bb52144b79e213f61798ed583911
SHA512 1ccb18bb816897000d7d9561efabea6e8f0ab91cfc3a78e7f67a9d4e651008d21e5fcea17ba2c57e478e39b6e5cfc101851e2ace92e9d82c21443b04de86747e

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\install.rdf

MD5 138fc75ea0e455a1b49a67f5dc69cd5f
SHA1 49415c85830ea7a6c72ecd7e1db182b8510d5fb2
SHA256 e108624a8fd3e580da0172eb1c3b4a858fcc842eb672c18129835783de5cce90
SHA512 85cf99646b241df94fc5eabfba794b0e23308f148aefaf4c6ec66b615ed73a4970f66cd10a9b49b8a5d8b51f9a5a4f826110b86ab3e57668769595160bb2e470

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\indexeddb.js

MD5 041d5a4c75079646210f6c8938952559
SHA1 d8b22b144ebdf398b25b09e8ce3a39bc6e3e9fb0
SHA256 3edf03344a37506739082b302b30f1403150b69d50ba6a1bf866e672bc97d656
SHA512 36fdbf01b9791585b98ba88b2bb5ca4cfe393d4e9345f4c56fef9428a2a139c92746724665ed496acc62894e15db2267062e6c4428bc34401dd05663b48cf113

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\jsext.js

MD5 ee22556b46701f7d0e010b610eda28a7
SHA1 fd40a0b7c5aa4405353a0e8af8e854d1fc52146d
SHA256 81a818fee692ce8a8f9da3791de519f4771cd97db45ea1f74672425e82680d89
SHA512 34a8705ce8e3c87b83e5c404bd54cd600e54ba3df1f7617557cdf2f9bf63428cbdffb6e435648e9e920bdc26200b952b73580283c5188b8a2307e6dde852ca1c

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\lsdb.js

MD5 e213d08df4ed01b9b9fec0bba6de98bd
SHA1 2e15a5c012e57172bfe28f86e99e53af42a1df7e
SHA256 e635e9694bf6605d88fdb50191c1d1b9991c0597f079cebc3b5d71c7ac712e9f
SHA512 06bcb850997e65be55210181795316b31c61b3c99565794c68d823093aff4e6b3b20da84ae557fcd121c9ba5a2cd433ed161c00614594c02a825430bd0d0f0f8

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\prfdb.js

MD5 49a2b9dba3a6b008ec0fccdd44ec3aa4
SHA1 4ed5a0fa7226531a3c2560fd2a13b45812b371a4
SHA256 ffc1029d09018b7a011965ef1a956d93f8b3e8a2045f15e2b59de8625884c2bf
SHA512 f2d0ddfac872b9ee828fcfff1f2e08f33d45a7a0b97b9ea0b1edeee9e3660f895527613b64cdc41c9876e9005a8788b140499e9aa808336ab8cccae02c2ca93c

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\sqlite.js

MD5 77215a36dfb962f0c948f7394eaeada3
SHA1 612721d569da4012cebcb24db3b2a5fad1f28de5
SHA256 e807eae5da5097abf5b6a143c93e9f88d17dedd504809baf38cd6a83b0e1e304
SHA512 62fe20a85b2215115947e85e8e95177170f5a316dfec4b593f04ecdba00cffccf4c2fd595cd4e50eec36db24a5356fbb7e8254dbe9718d103c721ab92e63068d

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\[email protected]\content\wx.xul

MD5 cf63313887bf2a6ba3d515d4b5770ccb
SHA1 87feb69adfd194a6d54997e883c1fad06550a1b1
SHA256 7c1555b1fa1985dae1a2c255909db0ab656b297d71a62bb3013b7d195c96ca0b
SHA512 dba3e8b80041a942fb7e11aaab1b8183eea9981a448f80fdde8b1f27c41a20f2a8d801f2c80ebc99fa0950c26a48553ab90234a5d195f4d0c0540c3e420905b3

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\mhokfpodlphpfflnebofbgcoohgdheog.crx

MD5 fac78659f8338442899bede62ef75e56
SHA1 6dda2e53588be1c2974382635cf45fcdd374a29b
SHA256 fd56b7fd4c90cce209da855127d1b547642771e928b7b147273ac0ef4c5c7873
SHA512 92b7882c04e2103bf44205a659bededecabba575b65d82278552da218d4d5014c762958764b96f51cd4b289232133b01a09166fbcbe9643d6443d52fe034284d

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\background.html

MD5 59d44d8ff64d3122bba7e125374c2773
SHA1 b3606b42139b83445a0c2d71b984a998dfaef2e7
SHA256 5aea39aaa54beed9c2ba0b7be83e13f3dd18e420e1d46feb6a822a0a4b350b55
SHA512 cdaa420e03528b113e6948a40355609ddbda4b7fa4fc05a8d14b75441ee0277e1416774f8c2f2bdcd687f4ac2bbde81c7b508949527ff032403956970d497545

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\content.js

MD5 ba5b6993530b6066c14d7d2327960b67
SHA1 cfcf80e24500180d7595f394d987a1ce253a3d29
SHA256 0ae5db773548890af4344ac3252c801f79897b25411f5b3ec768eaaf0448adb8
SHA512 ae51810defe182197ea44be10b2c872a174f705c3805fa1e00ca0b74c95cf0d846ae3932818a7593997c835fe3cdb2fdd8890ee7e7b802ae015a5e3ea619c6df

C:\Users\Admin\AppData\Local\Temp\7zS1610.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\Bcool\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 12:48

Reported

2024-06-22 12:51

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E50937DB-3CD1-D0C9-036C-DDB9C5AF0EA7} = "1" C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\settings.ini

MD5 adb3f14b89cf23fcb80ddcb3f65f88d3
SHA1 677c54823bc8f2e91f4470f9c20e23e34e02e0f6
SHA256 d3ed8c0d638fde5fcae7171c9ec768accd636d8b8853db5ad751cd059df24cc8
SHA512 3a1ea028acc61477b81c2db3788fc7583aa5c23bb0f21549769484a6bd52916cf3f075332f00010f46ccc0c9fe432de4b7aa8ca9fe22296225ddcd529233d7ea

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\chrome.manifest

MD5 44074ed0cf78932fdc674867cfe1314a
SHA1 6ec9857924b82227a64b6934c7798098cddd0e2b
SHA256 de47b694c9b94d945f18ac04a85269100203bb52144b79e213f61798ed583911
SHA512 1ccb18bb816897000d7d9561efabea6e8f0ab91cfc3a78e7f67a9d4e651008d21e5fcea17ba2c57e478e39b6e5cfc101851e2ace92e9d82c21443b04de86747e

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\install.rdf

MD5 138fc75ea0e455a1b49a67f5dc69cd5f
SHA1 49415c85830ea7a6c72ecd7e1db182b8510d5fb2
SHA256 e108624a8fd3e580da0172eb1c3b4a858fcc842eb672c18129835783de5cce90
SHA512 85cf99646b241df94fc5eabfba794b0e23308f148aefaf4c6ec66b615ed73a4970f66cd10a9b49b8a5d8b51f9a5a4f826110b86ab3e57668769595160bb2e470

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\indexeddb.js

MD5 041d5a4c75079646210f6c8938952559
SHA1 d8b22b144ebdf398b25b09e8ce3a39bc6e3e9fb0
SHA256 3edf03344a37506739082b302b30f1403150b69d50ba6a1bf866e672bc97d656
SHA512 36fdbf01b9791585b98ba88b2bb5ca4cfe393d4e9345f4c56fef9428a2a139c92746724665ed496acc62894e15db2267062e6c4428bc34401dd05663b48cf113

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\jsext.js

MD5 ee22556b46701f7d0e010b610eda28a7
SHA1 fd40a0b7c5aa4405353a0e8af8e854d1fc52146d
SHA256 81a818fee692ce8a8f9da3791de519f4771cd97db45ea1f74672425e82680d89
SHA512 34a8705ce8e3c87b83e5c404bd54cd600e54ba3df1f7617557cdf2f9bf63428cbdffb6e435648e9e920bdc26200b952b73580283c5188b8a2307e6dde852ca1c

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\prfdb.js

MD5 49a2b9dba3a6b008ec0fccdd44ec3aa4
SHA1 4ed5a0fa7226531a3c2560fd2a13b45812b371a4
SHA256 ffc1029d09018b7a011965ef1a956d93f8b3e8a2045f15e2b59de8625884c2bf
SHA512 f2d0ddfac872b9ee828fcfff1f2e08f33d45a7a0b97b9ea0b1edeee9e3660f895527613b64cdc41c9876e9005a8788b140499e9aa808336ab8cccae02c2ca93c

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\lsdb.js

MD5 e213d08df4ed01b9b9fec0bba6de98bd
SHA1 2e15a5c012e57172bfe28f86e99e53af42a1df7e
SHA256 e635e9694bf6605d88fdb50191c1d1b9991c0597f079cebc3b5d71c7ac712e9f
SHA512 06bcb850997e65be55210181795316b31c61b3c99565794c68d823093aff4e6b3b20da84ae557fcd121c9ba5a2cd433ed161c00614594c02a825430bd0d0f0f8

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\sqlite.js

MD5 77215a36dfb962f0c948f7394eaeada3
SHA1 612721d569da4012cebcb24db3b2a5fad1f28de5
SHA256 e807eae5da5097abf5b6a143c93e9f88d17dedd504809baf38cd6a83b0e1e304
SHA512 62fe20a85b2215115947e85e8e95177170f5a316dfec4b593f04ecdba00cffccf4c2fd595cd4e50eec36db24a5356fbb7e8254dbe9718d103c721ab92e63068d

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\wx.xul

MD5 cf63313887bf2a6ba3d515d4b5770ccb
SHA1 87feb69adfd194a6d54997e883c1fad06550a1b1
SHA256 7c1555b1fa1985dae1a2c255909db0ab656b297d71a62bb3013b7d195c96ca0b
SHA512 dba3e8b80041a942fb7e11aaab1b8183eea9981a448f80fdde8b1f27c41a20f2a8d801f2c80ebc99fa0950c26a48553ab90234a5d195f4d0c0540c3e420905b3

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\mhokfpodlphpfflnebofbgcoohgdheog.crx

MD5 fac78659f8338442899bede62ef75e56
SHA1 6dda2e53588be1c2974382635cf45fcdd374a29b
SHA256 fd56b7fd4c90cce209da855127d1b547642771e928b7b147273ac0ef4c5c7873
SHA512 92b7882c04e2103bf44205a659bededecabba575b65d82278552da218d4d5014c762958764b96f51cd4b289232133b01a09166fbcbe9643d6443d52fe034284d

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\background.html

MD5 59d44d8ff64d3122bba7e125374c2773
SHA1 b3606b42139b83445a0c2d71b984a998dfaef2e7
SHA256 5aea39aaa54beed9c2ba0b7be83e13f3dd18e420e1d46feb6a822a0a4b350b55
SHA512 cdaa420e03528b113e6948a40355609ddbda4b7fa4fc05a8d14b75441ee0277e1416774f8c2f2bdcd687f4ac2bbde81c7b508949527ff032403956970d497545

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\content.js

MD5 ba5b6993530b6066c14d7d2327960b67
SHA1 cfcf80e24500180d7595f394d987a1ce253a3d29
SHA256 0ae5db773548890af4344ac3252c801f79897b25411f5b3ec768eaaf0448adb8
SHA512 ae51810defe182197ea44be10b2c872a174f705c3805fa1e00ca0b74c95cf0d846ae3932818a7593997c835fe3cdb2fdd8890ee7e7b802ae015a5e3ea619c6df

C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\Bcool\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b