28b4bb7b5579bf336bb195d75ad44767b2d8b720fbf0017003046dc0ee71c321

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 16:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe
Size

313KB
MD5

28cbcf2679bcaa1e2a3889ca30b5c9fd
SHA1

776f5de18f9f199d3ebb8fe7794dcc19072ec00f
SHA256

28b4bb7b5579bf336bb195d75ad44767b2d8b720fbf0017003046dc0ee71c321
SHA512

c92430bca9861bcb25a64ecb93d470b5260f8a679b41e282e495f6c065e948d5f67a2c820e051d723eaddca90bceaac70220a8a0f8425a0e75daa8b0fc4b5b96
SSDEEP

6144:91OgDPdkBAFZWjadD4s/aVne87mxCTAkdjvlGmEZ6XPUu6Qhg9RgJ:91OgLdaFNRLTAFDZ6XPyQhg9RgJ

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe
2904	setup.exe
2904	setup.exe
2904	setup.exe
2904	setup.exe
2904	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001878c-30.dat	nsis_installer_1
behavioral1/files/0x000500000001878c-30.dat	nsis_installer_2
behavioral1/files/0x0005000000019506-99.dat	nsis_installer_1
behavioral1/files/0x0005000000019506-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\ = "DownloadnSave Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2904	2240	28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{16A8525B-B6B4-1D98-A611-0A66BA7A5DC7} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28cbcf2679bcaa1e2a3889ca30b5c9fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
f396888f33c23ce111eb729116f062ad

SHA1
c1eea47a7ae58fc3d3674cc84f63d0c22cd44420

SHA256
e44b33e83077125903b3086422d7ee16c17839a38b2c72c9ae8f510f125f52b2

SHA512
15e5ab4ea8e5b8f807a764b3d151f75f23531a2687c6f480dd4d500516f6707b00dde11153bea0384cb7743e22e301baca4c17e5520224beceb46c798fc82bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
393700f661268e952b43edf9aa338b8e

SHA1
e5998a364aac2640865cbd50e3edcbc98d88db7c

SHA256
b4c54c840f9e4a4ebf5c2810759a23a21b31873d9f599c9be2e5ffd084464634

SHA512
1e8411abb624967f3962c6bfc0e71819f6a8a10aa3c5929cc13bb183605e54f34d22e3b0294d8e9dd2be0f5f5d9510806b4d277bfe6a53414726b6e04c881892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
6e6c4f2be443a2a4b151d517cbc07218

SHA1
07222b21c28c610035ab0f19c79a0ef6dc0041aa

SHA256
13400c63180e5527e149d51bfc2b1c0cb4987829cc2bc698f041921b98b50bcb

SHA512
9dfd941509f314cee27c82516a32e74298641bbdde9d2b3a49a75ed32e7f39e52c5f3d3d3b02e872f1012a4caddd10058a061d0debe192c2ccf239af05e8f58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
9eb388c3bdff8c79a9fc1ba567f340a3

SHA1
ec689d80d020a188d3cc23b9289b818096235eb6

SHA256
09680acdbf608f338095b421eb3f7a883c28b8e160f3668e299ef59ffbc2058b

SHA512
c4d6018661b8e940556d858fb88244df07cb5c320669860e2de7a8a89d0cec5c6228b8dda093c19a8c14bc95210b9da20258732f217df87aac60d4f983aa3df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
077759e883d32e0fc95715e4ede7f280

SHA1
a9683a96314f5f33fd5f057c59b9e379b60ea36b

SHA256
d81f54e26a335c14c6f3a0daddd2a136f8251a935a89b4da74442fcc1d24dd41

SHA512
9ad10b5cec79c7afe2a6cea89969ad284a1ae550308f36958cfdc696344eab8980c4e35c835a80ab8ef2b953568c2041a2b3de124db3362048a3e5f20f985be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
358ecddcd6833bf113685e3106b21254

SHA1
1cf126c7ca4bc9b3889ed2d08d9989412a04ab65

SHA256
85a0fa1547eba9fe9dea08ed58e443af28634d7838a1250e61bb89dc86da58de

SHA512
a274e3516e0042b363882d4103744f95cc8ad77e230077b2362aedfbe93f3ed641aa4ccf68c102368fe2148dd88a0d11ab6e14567a95f67129f8d4231cf88e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
c3c205feb152c67409fd69876e1292bd

SHA1
c14fdfb87517481bda36b05985b1750683d33b6d

SHA256
3c134834770ac90538262044a2e862e0fda676dbd6309d5a59b2c6e721e6c716

SHA512
9dbc4f11e349399eb1b440c155157ad70d39d339144d53892527269ee559c278dd7d6f7f056534c7de50c1335f38dab91aa584c5f3c3c5408ee372f3ba8c8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\[email protected]\install.rdf

Filesize
683B

MD5
2bc4ebbb483a7e46e40d81b7fd38cdc0

SHA1
951564aec55ab89e64907f6728ec0a93234a9542

SHA256
6d84e026eb745dec8b92ad42594d56ee974f699565aa9adc56707ab2939f1ce7

SHA512
1e89cedf75c37a3454d643db6725f65c9595a30f4f7ec697c83c80d4d478d00749344513c08ef6d9e63df5b2bef8089b32020dc1ffd68b0a9a2c8f6b13c631fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\background.html

Filesize
5KB

MD5
e9aa5cc7687a17cb7e856805fdc2acb0

SHA1
13140ff808ab109f2926e540e2767c33ecdf5d26

SHA256
4f7fae1bdc08aedbb0593d4a8bd0e8adeb95c23bc42c0a59ebe371240780d1f1

SHA512
6a3b6d4d6a9603cda9336e96890c2435f505e54e3af72d33dd82e1f76145ed8ad924b2b330a3da87ad237793061eff7e1e172f284f49a9b15da16ab8348840be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\content.js

Filesize
387B

MD5
b7cb4be52dcf2452006dd36de32b222a

SHA1
987b37152c723d5579bde4cfe99932aad27032ba

SHA256
a8ada678d44cf66b2f8c0ca6c9131ac529bc9660560eae8e2b38fead8f974d9b

SHA512
ae44b4ed718e02c3a5013e69901b261e869935a015986b89862a2dc1999b7861fd628bfe238dd9a39d1b6fc2605c05a94a05037d7be24929acef0d0cc493f5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\gmalppialgboealhbkbcfmnbggaldpaj.crx

Filesize
37KB

MD5
1044d36c9a7d1a3bc9fd82e71f423ea0

SHA1
7703eeed6af9429cada8834ed6309362e83d73f0

SHA256
235cff6f6709e4c8003f90d1c833943a759effdc00bedd7909ce04cd2b6cc389

SHA512
d7705cec053b8b51878c5417cb8649a772efcb04bcb085fd1d97c3781d5c8b266da7fba39c6e67f376a3d6671e5b8be4917a73d11593c35ebca6e1a98b44666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\settings.ini

Filesize
618B

MD5
3c4d696f4522a1f48c7943322bdd00fc

SHA1
bcdc136b6721ce267d870e46a6c020025324601c

SHA256
f6e3d3c93ed100b7b94549c761b4cb45f7745ecb75117bedb18d5cca34f3d648

SHA512
f2fad7ed40154c7b80e48db2e9ba69a7d6e1e413a59fb19b80217c7ccf3b6bf784a02832fb970a1274a79ba8c6a7474e344878822db4aeb88d82fe248b55ca2b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7B48.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads