Analysis Overview
SHA256
f30bb9f65cd66b8ac6518af9bcd5628cc6a21e940a894a0750b3ac913966cf8b
Threat Level: Known bad
The file ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Azorult
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
AutoIT Executable
Drops file in System32 directory
Drops file in Program Files directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Script User-Agent
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-06 00:53
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-06 00:53
Reported
2024-09-06 00:56
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Azorult
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cexplorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" /startup" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-LU5QT.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-OHGDE.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-S3MEA.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-O2I80.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-TDPIM.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-UCC4F.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder64.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-B3B7D.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-2CJRE.tmp | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cexplorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\ChameleonExplorer.exe\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Directory\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ = "Chameleon Explorer Autoplay COM Server" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException\ = "System.RangeException" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\ChameleonExplorer.exe\DefaultIcon | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\CLSID\ = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Drive\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer\uid = "6800b04a6bb814b596655af5dc5e3032" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException\CLSID | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Directory\shell\open\command | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Directory\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID\ = "ChameleonExplorer.AutoplayEventHandler" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException\CurVer\ins13 = "installed" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Drive\shell\open\command | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Drive\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.zip\OpenWithProgids | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException\CLSID\ = "{4286FA72-A2FA-3245-8751-D4206070A191}" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Directory\shell\ = "open" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\DefaultIcon | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\ = "Chameleon Explorer Autoplay COM Server" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException\CurVer\13 = "45542" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\shell\open\command | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException\CurVer | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.zip\OpenWithProgids\ChameleonExplorer.zip | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB} | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Drive\shell\ = "open" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.zip\ = "ChameleonExplorer.zip" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\shell\ = "open" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Directory\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget\CLSID = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\ChameleonExplorer.exe | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.zip\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Directory | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Drive | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\System.RangeException | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Drive\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.zip | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\CLSID | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
"C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp" /SL5="$60124,6397385,121344,C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
Network
| Country | Destination | Domain | Proto |
| FR | 51.15.254.54:80 | tcp | |
| US | 8.8.8.8:53 | www.chameleon-managers.com | udp |
| NL | 142.250.102.121:80 | www.chameleon-managers.com | tcp |
| US | 8.8.8.8:53 | neosoft-activator.appspot.com | udp |
| NL | 142.250.27.153:443 | neosoft-activator.appspot.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| NL | 142.250.27.94:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
| MD5 | b2e5a8fe3ca4f0cd681b5662f972ea5f |
| SHA1 | b7dbcfaee55ecbf0158431d85dabdd479ab449c7 |
| SHA256 | e71c48c03b8cfd37bf17e62460733a4bfe9c484e947fd9db291f65405a2ba9e8 |
| SHA512 | 40b7140f5c182cd51cee142a2575bd70dc9bde311ad3952119fb9769b5ceeb467695aa5a66fc90520712d9a39458930efb965496d6443665b7597cfd66247aaf |
memory/2700-26-0x0000000000401000-0x0000000000412000-memory.dmp
memory/2700-24-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-63VUO.tmp\cexplorer.tmp
| MD5 | 729bc0108bcd7ec083dfa83d7a4577f2 |
| SHA1 | 0b4efa5e1764b4ce3e3ae601c8655c7bb854a973 |
| SHA256 | b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49 |
| SHA512 | 49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c |
memory/2572-33-0x0000000000400000-0x000000000052D000-memory.dmp
\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | 61e299de739be23bb5a865420d52a936 |
| SHA1 | 52cfa8d569f69bb051c8a865341b05e743fd2f65 |
| SHA256 | b2fc859e9d7245df15ea04ed4d9ec644b008b9f7e2ea3158a88bf02703749cf6 |
| SHA512 | aa496e7d83b2810c92a2bba8c35e02ddc9d3641fd137f86e0295f499d14b21034ba6c025d5874e6ae5878e16521628ca8f116449906a76b7daf937a3069806a0 |
\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
| MD5 | 92a3d0847fc622b31f2d0c273a676c0e |
| SHA1 | e642d694367cc98a8863d87fec82e4cf940eb48a |
| SHA256 | 9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89 |
| SHA512 | 01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c |
memory/2136-90-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2136-91-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2136-110-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2136-111-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2136-115-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2136-112-0x0000000000400000-0x0000000001438000-memory.dmp
\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
| MD5 | 5b0ae3fac33c08145dca4a9c272ebc34 |
| SHA1 | 940f504d835fc254602953495320bb92456177b9 |
| SHA256 | 137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b |
| SHA512 | 015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a |
memory/2300-118-0x0000000000400000-0x0000000001438000-memory.dmp
C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new
| MD5 | fb76f4f533203e40ce30612a47171f94 |
| SHA1 | 304ba296c77a93ddb033d52578fcc147397db981 |
| SHA256 | 3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6 |
| SHA512 | a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995 |
C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new
| MD5 | 96f92c8368c1e922692f399db96da1eb |
| SHA1 | 1a91d68f04256ef3bc1022beb616ba65271bd914 |
| SHA256 | 161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9 |
| SHA512 | b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14 |
memory/900-135-0x0000000000400000-0x0000000000A39000-memory.dmp
memory/2572-138-0x0000000000400000-0x000000000052D000-memory.dmp
memory/972-139-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new
| MD5 | de5f74ef4e17b2dc8ad69a3e9b8d22c7 |
| SHA1 | 42df8fedc56761041bce47b84bd4e68ee75448d2 |
| SHA256 | b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32 |
| SHA512 | 515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314 |
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll
| MD5 | dd5ce4d765edd75eba6f311e6e0ea10a |
| SHA1 | 9ea7f6516e5ad0755b74463d427055f63ed1a664 |
| SHA256 | 64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d |
| SHA512 | d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216 |
memory/972-142-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2572-156-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2700-157-0x0000000000400000-0x0000000000428000-memory.dmp
memory/972-152-0x0000000000400000-0x0000000001438000-memory.dmp
memory/2604-158-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2136-159-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2604-161-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-06 00:53
Reported
2024-09-06 00:56
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
133s
Command Line
Signatures
Azorult
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cexplorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" /startup" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM32\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Windows\System32\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Windows\System32\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder64.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-G2T3B.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\Folder.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-20PD7.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-OPUF7.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-N0DBT.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-B23RU.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-751MJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-O4BDJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\is-D9I2F.tmp | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| File created | C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\update.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cexplorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Drive\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException\ = "System.RangeException" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException\CurVer\ins13 = "installed" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Drive | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB} | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Directory\shell\ = "open" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Directory\shell\open\command | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ = "Chameleon Explorer Autoplay COM Server" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID\ = "ChameleonExplorer.AutoplayEventHandler" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\CLSID\ = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer\uid = "6800b04a6bb814b596655af5dc5e3032" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\DefaultIcon | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\ = "Chameleon Explorer Autoplay COM Server" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Applications\ChameleonExplorer.exe\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Directory\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Applications\ChameleonExplorer.exe\DefaultIcon | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Drive\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException\CurVer | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Applications\ChameleonExplorer.exe | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException\CurVer\13 = "45542" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.zip\ = "ChameleonExplorer.zip" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.zip\OpenWithProgids | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\shell\open\command | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException\CLSID\ = "{4286FA72-A2FA-3245-8751-D4206070A191}" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Directory\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Applications | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Directory | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.zip\OpenWithProgids\ChameleonExplorer.zip | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Drive\shell\open\command | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Drive\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\CLSID | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\System.RangeException\CLSID | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.zip | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\shell\open | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Directory\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.zip\shell\ = "open" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget\CLSID = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Drive\shell\ = "open" | C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce4823889c3c5f42ffd5654be87d8ff3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
"C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp" /SL5="$100242,6397385,121344,C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3540 -ip 3540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 768
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.chameleon-managers.com | udp |
| FR | 51.15.254.54:80 | tcp | |
| NL | 142.250.102.121:80 | www.chameleon-managers.com | tcp |
| US | 8.8.8.8:53 | neosoft-activator.appspot.com | udp |
| NL | 142.250.27.153:443 | neosoft-activator.appspot.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 121.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| NL | 142.250.27.94:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\autA289.tmp
| MD5 | b2e5a8fe3ca4f0cd681b5662f972ea5f |
| SHA1 | b7dbcfaee55ecbf0158431d85dabdd479ab449c7 |
| SHA256 | e71c48c03b8cfd37bf17e62460733a4bfe9c484e947fd9db291f65405a2ba9e8 |
| SHA512 | 40b7140f5c182cd51cee142a2575bd70dc9bde311ad3952119fb9769b5ceeb467695aa5a66fc90520712d9a39458930efb965496d6443665b7597cfd66247aaf |
memory/216-22-0x0000000000400000-0x0000000000428000-memory.dmp
memory/216-24-0x0000000000401000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QDMAA.tmp\cexplorer.tmp
| MD5 | 729bc0108bcd7ec083dfa83d7a4577f2 |
| SHA1 | 0b4efa5e1764b4ce3e3ae601c8655c7bb854a973 |
| SHA256 | b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49 |
| SHA512 | 49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c |
memory/4744-29-0x0000000000400000-0x000000000052D000-memory.dmp
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
| MD5 | 92a3d0847fc622b31f2d0c273a676c0e |
| SHA1 | e642d694367cc98a8863d87fec82e4cf940eb48a |
| SHA256 | 9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89 |
| SHA512 | 01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c |
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | 61e299de739be23bb5a865420d52a936 |
| SHA1 | 52cfa8d569f69bb051c8a865341b05e743fd2f65 |
| SHA256 | b2fc859e9d7245df15ea04ed4d9ec644b008b9f7e2ea3158a88bf02703749cf6 |
| SHA512 | aa496e7d83b2810c92a2bba8c35e02ddc9d3641fd137f86e0295f499d14b21034ba6c025d5874e6ae5878e16521628ca8f116449906a76b7daf937a3069806a0 |
memory/3940-82-0x0000000000400000-0x0000000001438000-memory.dmp
memory/2076-84-0x0000000000400000-0x0000000001438000-memory.dmp
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
| MD5 | 5b0ae3fac33c08145dca4a9c272ebc34 |
| SHA1 | 940f504d835fc254602953495320bb92456177b9 |
| SHA256 | 137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b |
| SHA512 | 015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a |
C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new
| MD5 | fb76f4f533203e40ce30612a47171f94 |
| SHA1 | 304ba296c77a93ddb033d52578fcc147397db981 |
| SHA256 | 3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6 |
| SHA512 | a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995 |
C:\Program Files (x86)\Chameleon Explorer\Folder64.dll
| MD5 | 96f92c8368c1e922692f399db96da1eb |
| SHA1 | 1a91d68f04256ef3bc1022beb616ba65271bd914 |
| SHA256 | 161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9 |
| SHA512 | b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14 |
memory/4256-102-0x0000000000400000-0x0000000000A39000-memory.dmp
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll
| MD5 | dd5ce4d765edd75eba6f311e6e0ea10a |
| SHA1 | 9ea7f6516e5ad0755b74463d427055f63ed1a664 |
| SHA256 | 64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d |
| SHA512 | d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216 |
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll
| MD5 | de5f74ef4e17b2dc8ad69a3e9b8d22c7 |
| SHA1 | 42df8fedc56761041bce47b84bd4e68ee75448d2 |
| SHA256 | b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32 |
| SHA512 | 515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314 |
memory/4744-122-0x0000000000400000-0x000000000052D000-memory.dmp
memory/3184-118-0x0000000000400000-0x0000000001438000-memory.dmp
memory/216-123-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3540-124-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3540-126-0x0000000000400000-0x0000000000429000-memory.dmp