Analysis Overview
SHA256
61af79ddde9248dafeedb35d94a727d482c8931b4e522bd70d1d8a81de69de13
Threat Level: Shows suspicious behavior
The file 02412534457a9759b5acb59976da2e79_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 13:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 13:03
Reported
2024-06-22 13:05
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\settings.ini
| MD5 | 70f3bae144bd385a1ffc6c34636abbcc |
| SHA1 | b869df29a7609069a03a529555b3e56af6a8e128 |
| SHA256 | 1e27a51c4bf1aa2ddb45a6c4cb05170e8e7821cdbf676d3098f41816c207d915 |
| SHA512 | ca5ce15f84c42fe7dfc4f02062a137139c41c9b50f9382ad044c3a7328d1dad0fa8cb2d7e04350b67b1f98766da13fc0308ffc66e0fc66bc424b0f7483377091 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\install.rdf
| MD5 | 53e63cef50ec3650a1973f9fe00487cd |
| SHA1 | 1c5b56545c8ed80501fd3b447d81b66f72b4c452 |
| SHA256 | a2f62ca6fe84c46d03a30a7807de1e2a811859b7ca8a28f2e0f14890786f44b9 |
| SHA512 | 534dc36c1eb4cf63521ad9b312ac203d9b2ed1f355bfe525bb1cb0902c1f9863f39c1010a25206f81d60eccfcd75915e026022d19f404678371278721200b6f1 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\chrome.manifest
| MD5 | 909f8888eb1a0e3dbaf20612552c7264 |
| SHA1 | 15c80419a70ef5300fa19eaaaea38c9a821aa418 |
| SHA256 | a00c90290efa6a6d501adb804bcaca5722c6713f741f11ff6547f7ae0f1d8d12 |
| SHA512 | 9c0e55db2eaff400e4232b07a75b772a7bff10d06dac3effefd130c46645945bb48a0865e969b38ada77224208110808d8138f116c74ad5a7fa8d49339db589d |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\bootstrap.js
| MD5 | 0d5806a9d0b4022b51c6cecbb376bbf0 |
| SHA1 | b41728d98e196ff38d95811ccb12a8f90fa36772 |
| SHA256 | 0b22de180788ca29718e704998bcfac197d35819ac7ade6833f2a9affcac950a |
| SHA512 | fdcb758763a99dd514f726aa4051fcfb171ac4d9e16022cbace6bb009057069c67412b021ed8b5f81f3244bdca5ffb57e29d16486e4abd050aa28512bc375e90 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\content\bg.js
| MD5 | 31280ea25cce962cdddd6b472d667a9d |
| SHA1 | 91c4a4a29aef235828184a7b5626ea2e324676b0 |
| SHA256 | 330275091c3f38219aa3523f90ecb68a7a9afb7a3eb8a61bcf7ae0c9e491e835 |
| SHA512 | 68a4ede7afb42e86f0201d1f8f2f1c7fea9a9d7145a9f3656a4a17db3507a1fa7627318278bbdbea832df74648d4465b1f402205a114d6f212ef17752ee1231d |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\content\zy.xul
| MD5 | 4b7ff875645966a272aaff9eca08db3d |
| SHA1 | c45963632f9bff2299517778fb13d6a2b5ea942e |
| SHA256 | 388602380f6472fa68a7925e78016b057e01582a72f764d8e70c5ed3719bf386 |
| SHA512 | c45ca275e1a148a60f8819533a812633968245a0ba069a00fe26e9265d9787478e482fca2b341fb6a3485f7d9016cb4d976772432f7e58aa67608ebceb509077 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\obolkfkifbgldigmdfajpgicgbffdmnj.crx
| MD5 | 9794d9593738a1d2e6a176a934f4874b |
| SHA1 | 7c1d2facf4fd77daf755036ce4deedf0da8fef51 |
| SHA256 | 8e461dee1dc70d9632d3277cef83e2e760c005d144e2ec5dc3508bfbd16eb555 |
| SHA512 | c3ee3ca1e609d27cf0c514899dbc58dec9501bd6e2ce4339a920cb228d05bfa483317edae36184ff162583cc263d67b0e42716449f7c7e16564f93cf19a18d22 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\background.html
| MD5 | 8fdd3da703d4b42462ef0d067bcea821 |
| SHA1 | 07fa10f4c9bd67e15872ada76ee361fdd8e7d601 |
| SHA256 | 6711ff506564ef453c2107625f6fd0d600301dfc3ff57b4f99e4f01e1d6d2301 |
| SHA512 | 9226147819219b7314265e424520b06ceda50af2b5880a2d5414b0f5e5e5978126a54ed38cc73bbf620433b90a5a83f661342f391baaba414200753a402d23c6 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\content.js
| MD5 | 8b1fc597048d42e69cb5fb65a584d692 |
| SHA1 | 972519e7b28ecfabddaaed11254db3a365e5ad28 |
| SHA256 | 66698572f9306dffbc63ceca591ac858db5e2af1954718376aff25dea78c2eec |
| SHA512 | 246358557e51a8fa93d2e73d0be1e480c4495d287f14fd0f56c1ed3fe5ea32d92dab4473d3bb8e1cadcab5e35a7fbc2adc5690ba7c2cb92eae188889f984c1c9 |
C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 13:03
Reported
2024-06-22 13:05
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3748 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe |
| PID 3748 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe |
| PID 3748 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0ED056AE-E127-1E45-3E0A-B443ED6F6C4E} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\settings.ini
| MD5 | 70f3bae144bd385a1ffc6c34636abbcc |
| SHA1 | b869df29a7609069a03a529555b3e56af6a8e128 |
| SHA256 | 1e27a51c4bf1aa2ddb45a6c4cb05170e8e7821cdbf676d3098f41816c207d915 |
| SHA512 | ca5ce15f84c42fe7dfc4f02062a137139c41c9b50f9382ad044c3a7328d1dad0fa8cb2d7e04350b67b1f98766da13fc0308ffc66e0fc66bc424b0f7483377091 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\[email protected]\bootstrap.js
| MD5 | 0d5806a9d0b4022b51c6cecbb376bbf0 |
| SHA1 | b41728d98e196ff38d95811ccb12a8f90fa36772 |
| SHA256 | 0b22de180788ca29718e704998bcfac197d35819ac7ade6833f2a9affcac950a |
| SHA512 | fdcb758763a99dd514f726aa4051fcfb171ac4d9e16022cbace6bb009057069c67412b021ed8b5f81f3244bdca5ffb57e29d16486e4abd050aa28512bc375e90 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\[email protected]\chrome.manifest
| MD5 | 909f8888eb1a0e3dbaf20612552c7264 |
| SHA1 | 15c80419a70ef5300fa19eaaaea38c9a821aa418 |
| SHA256 | a00c90290efa6a6d501adb804bcaca5722c6713f741f11ff6547f7ae0f1d8d12 |
| SHA512 | 9c0e55db2eaff400e4232b07a75b772a7bff10d06dac3effefd130c46645945bb48a0865e969b38ada77224208110808d8138f116c74ad5a7fa8d49339db589d |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\[email protected]\install.rdf
| MD5 | 53e63cef50ec3650a1973f9fe00487cd |
| SHA1 | 1c5b56545c8ed80501fd3b447d81b66f72b4c452 |
| SHA256 | a2f62ca6fe84c46d03a30a7807de1e2a811859b7ca8a28f2e0f14890786f44b9 |
| SHA512 | 534dc36c1eb4cf63521ad9b312ac203d9b2ed1f355bfe525bb1cb0902c1f9863f39c1010a25206f81d60eccfcd75915e026022d19f404678371278721200b6f1 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\[email protected]\content\bg.js
| MD5 | 31280ea25cce962cdddd6b472d667a9d |
| SHA1 | 91c4a4a29aef235828184a7b5626ea2e324676b0 |
| SHA256 | 330275091c3f38219aa3523f90ecb68a7a9afb7a3eb8a61bcf7ae0c9e491e835 |
| SHA512 | 68a4ede7afb42e86f0201d1f8f2f1c7fea9a9d7145a9f3656a4a17db3507a1fa7627318278bbdbea832df74648d4465b1f402205a114d6f212ef17752ee1231d |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\[email protected]\content\zy.xul
| MD5 | 4b7ff875645966a272aaff9eca08db3d |
| SHA1 | c45963632f9bff2299517778fb13d6a2b5ea942e |
| SHA256 | 388602380f6472fa68a7925e78016b057e01582a72f764d8e70c5ed3719bf386 |
| SHA512 | c45ca275e1a148a60f8819533a812633968245a0ba069a00fe26e9265d9787478e482fca2b341fb6a3485f7d9016cb4d976772432f7e58aa67608ebceb509077 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\obolkfkifbgldigmdfajpgicgbffdmnj.crx
| MD5 | 9794d9593738a1d2e6a176a934f4874b |
| SHA1 | 7c1d2facf4fd77daf755036ce4deedf0da8fef51 |
| SHA256 | 8e461dee1dc70d9632d3277cef83e2e760c005d144e2ec5dc3508bfbd16eb555 |
| SHA512 | c3ee3ca1e609d27cf0c514899dbc58dec9501bd6e2ce4339a920cb228d05bfa483317edae36184ff162583cc263d67b0e42716449f7c7e16564f93cf19a18d22 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\background.html
| MD5 | 8fdd3da703d4b42462ef0d067bcea821 |
| SHA1 | 07fa10f4c9bd67e15872ada76ee361fdd8e7d601 |
| SHA256 | 6711ff506564ef453c2107625f6fd0d600301dfc3ff57b4f99e4f01e1d6d2301 |
| SHA512 | 9226147819219b7314265e424520b06ceda50af2b5880a2d5414b0f5e5e5978126a54ed38cc73bbf620433b90a5a83f661342f391baaba414200753a402d23c6 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\content.js
| MD5 | 8b1fc597048d42e69cb5fb65a584d692 |
| SHA1 | 972519e7b28ecfabddaaed11254db3a365e5ad28 |
| SHA256 | 66698572f9306dffbc63ceca591ac858db5e2af1954718376aff25dea78c2eec |
| SHA512 | 246358557e51a8fa93d2e73d0be1e480c4495d287f14fd0f56c1ed3fe5ea32d92dab4473d3bb8e1cadcab5e35a7fbc2adc5690ba7c2cb92eae188889f984c1c9 |
C:\Users\Admin\AppData\Local\Temp\7zS2F4D.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |