b01bcaba018f79cbcb39628f54b87b9544123c37fafc67d1c052b084a89c6fa8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe
Size

315KB
MD5

c984d9f97ea35d326900866ebd0fad0c
SHA1

78f632140c417a85acf24034f7e54ad166bf5721
SHA256

b01bcaba018f79cbcb39628f54b87b9544123c37fafc67d1c052b084a89c6fa8
SHA512

c6c79ececcf199395ea1df4303310389c6f230d65820725c79404f92f4fa1938d074a43ce73d38f40ebd2acfbe18861459dbdbefd4373566502d68f5d69c7be1
SSDEEP

6144:91OgDPdkBAFZWjadD4sdjyx8Hlu2HjR9MSjT0GAqNqart:91OgLda2Uqu2HjRXjfAsqart

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000195c7-30.dat	nsis_installer_1
behavioral1/files/0x00050000000195c7-30.dat	nsis_installer_2
behavioral1/files/0x000500000001a2fc-99.dat	nsis_installer_1
behavioral1/files/0x000500000001a2fc-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\ = "wxDfast Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1664	2184	c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B903ACD9-B861-0FCB-DF11-C8ED9A2C8938} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c984d9f97ea35d326900866ebd0fad0c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
44304f9b561ac7f1408cb879d8f95a7b

SHA1
8d520c18c845476d85745d09afcdc76ce834df7b

SHA256
8ba9376521e73de4ee2872e762301d8c6de864440b0a6ed4e5f7580d7771649d

SHA512
0922efab78e57e356b4c65c08c8ec4904be6d60c5d29d17d99da2bd4a6601f0aacae6611d551a4732618d0e29993a765cdadcc88d36700f672349f0686713802

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
f6298de55a6ce4663616f2c472b45ff3

SHA1
ed95e24fd53f1f8dc00722ad3e44ac0206cb9b9c

SHA256
db866b99f07bd135fd9cc1d83757068de1c9bd1e200133fc906bf7f9307a9658

SHA512
2c06231888e4004f22879b0b115302e79b72dac3b23779b5f7d3894f6d3961118d6ff21185632ddafae6c247fbcf8d82e4df3136aa89abbcadc56b8d580c9c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
062467e1ab3c7c31e301c3eca7bc2081

SHA1
4e8a565e7bfad10dd19887b9791b614a3d3f8cee

SHA256
e46287dd75bb5a961faca74f48a86cb3176f337791126078076dc1c17e854a09

SHA512
325debb440922a8d3e8731b9c9f300292d5e48b672d3ef15a71df16c8a885cf57bf97b271263a79b797a96e72b8a25afae97f7d09b62575afb6add51aa454f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
d9c7327033940274c996708a6ce3e203

SHA1
9b6f6ab4b8d9d1ddf4a8e5466224d0d37c3674bf

SHA256
4008418c16631ca04beaddcbee1bbc8ea408413832b07f8c74d89e8c6f03860b

SHA512
33d06c4a6c796431e60d426831304e2ff2a02c69f11bfe519898fe159bc2c9fea3e39c28bc6d9ec430a09c2b13431dfbe84e0db46cc0675ba4d24d85b5826ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
0a8c4fe5b10cfa619a84d5e5ad95d940

SHA1
9d6bd435690e0459b31768e06de8003d07dfacce

SHA256
3dabd90cf0c0d960d3faf221b9e6af60bd690a45f68d4f9bb890c2421f66b5ea

SHA512
edc71917c06cc722795a033dc9d333ddfe943ce1a32fc1caa16d04cc7b47d6dbf9db0cce78991c73debbf1ad2d9eeb49c27aae4f1a69eab66becfbe7f1cc204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
5e801edc74f17ed3c79652d2f514ae8a

SHA1
e11594d744c02e61f5ec71f77e3a35ef2c9ebdf2

SHA256
c17b2cc3737431ed68da3a0f6a9b20048e909c27160fe038a08aaceb48c04e8c

SHA512
b88a59dfc01ef0576c111f27222ee0f576b55705e1e58ea97097616b39cb84e901123ea1948f513b47f6af2d194181d0059b71d1c9a6e3814c4e9fe3ef23f7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
7c27e675286916a00c649d52fb582db7

SHA1
9c7f9d6d033e1488b12f8b32c50e0ec3ba9afff4

SHA256
64db251b56083c8382d7d0730b32f4c252fc3535e14332cf1c5002e52d573f38

SHA512
a3a4340f906c603907f23c77fc078f6f74ea0b69119cffd8c3b8666b4f9eedcf0832670cde6670c152d5d710ac1366aeeae82a5d876387c25be9c08700a0e1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\[email protected]\install.rdf

Filesize
677B

MD5
5a1e708ff3cfd101622d7563473c28ee

SHA1
2996cd368a08710cebaeac5fd0a4cd5473d64f7d

SHA256
4ee811497d1adc0675e3868783e84b778846ebbb1b5c1c9402ba35f642aeae49

SHA512
28f4e12bc60ff641b02b083487f8549be35b2000ccec3078cfdee67dc343c16ab59fe8d88bc331caf39c043809492a77d41bfeb08bdfd0ede90d288535fde0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\background.html

Filesize
5KB

MD5
54a6559f49a2e946e069a88681895780

SHA1
8c69719bc52c174ebbdf37ed4600a5650f021c89

SHA256
64ae5593a775791469b01a281c7b69ae00be6ee40f9363fafe2ad81aa25db1df

SHA512
258dd169b87671f57d1d272e461e388b0a6e9820086d9541d6e04e6c50b53e653c585796a9ed6abaf26cd5fb4b58d43a085e8be79fdbdee34683bde921834603

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\content.js

Filesize
386B

MD5
b87d631caf5e6956d3cae7516ea0ca9e

SHA1
0a41ff7c3ba1cc9a41e41877df768b8607da66aa

SHA256
311ce7125191eef07959d89c5b3ecb221106bb08fbb7a5ae67c91e7359bf196a

SHA512
4c187897afb2d450ecac3566b8bad8c0db9f914741f3f53e8be72fab1307435cedecee785c93d7d529d56b8b8fff36c522134bdbb43ea57e700c78a77688939e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\gebbgmicobdkogpgdpjbahmjkkpobeod.crx

Filesize
37KB

MD5
664602e76f97df2e36afb218c8703a9c

SHA1
4bf6ebc8d53ac17c704c9948a4aa79f79db6d1f6

SHA256
efc8354470f0a9e8ce8716c92bc7166f45091ac6be9cdacd4b74a2f9587eea1c

SHA512
88543c62abdcf0bde1ccedae5630a660ae3a6535d301bb8be4f330673073437d36c3724a22daedb74ca316af58aefb1c584493656966d21f37bd802155bf44f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\settings.ini

Filesize
599B

MD5
b0a4e924075dda1e11c22842787abf44

SHA1
f335bf9d3a88893120dafd8b0c3fd60f7ccfc9a8

SHA256
ba06b72ea6fd48d429d3c407d1425f310466073ffaf9fb536fa24fe79c90e4cc

SHA512
167872b6c3a2a4c96bbc9338290c6bc91b81ea041e71cc4c46e8091e7210122cda58c908cd6f6d68e98d2ccc57c795d3fccf47e17b01438299d1b4f79f0a8b52

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8DBF.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads