50df3e24fbd70da6f82d4e0f88f37900ace0e3741258d65edeb6aaae991b4f03

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5176306e9f48b68016d23486af65754_JaffaCakes118.exe
Size

281KB
MD5

d5176306e9f48b68016d23486af65754
SHA1

94f92715395ebb9d01e68f3de1177a8bee4c6a64
SHA256

50df3e24fbd70da6f82d4e0f88f37900ace0e3741258d65edeb6aaae991b4f03
SHA512

1a2277b13b2d972f4eaa94d4c06c68e7571ba896099b10d81eb5be025ba14eecb4b1261bb5a3c3cf1b18d94be769e1cefb8035c12dd672b5701aa6de3332ec6a
SSDEEP

6144:91OgDPdkBAFZWjadD4sSRQKC8arJ7Pg7+F0CRfAk:91OgLdanRil17Y40CRft

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe
2740	setup.exe
2740	setup.exe
2740	setup.exe
2740	setup.exe
2740	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B570360E-B089-4DEA-B032-2EB8089216B1}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B570360E-B089-4DEA-B032-2EB8089216B1}\ = "Bcool"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B570360E-B089-4DEA-B032-2EB8089216B1}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B570360E-B089-4DEA-B032-2EB8089216B1}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019345-30.dat	nsis_installer_1
behavioral1/files/0x0005000000019345-30.dat	nsis_installer_2
behavioral1/files/0x0005000000019665-99.dat	nsis_installer_1
behavioral1/files/0x0005000000019665-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{B570360E-B089-4DEA-B032-2EB8089216B1}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\ = "Bcool Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{B570360E-B089-4DEA-B032-2EB8089216B1}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2740	2624	d5176306e9f48b68016d23486af65754_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B570360E-B089-4DEA-B032-2EB8089216B1} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\d5176306e9f48b68016d23486af65754_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5176306e9f48b68016d23486af65754_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bcool\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
f29924d90f061c34facda9f2470b9b90

SHA1
d521d6d51c0e72d7b29a0104374c61c948210908

SHA256
e19af83107fe3459a52defb6eeaba4e77ab88b76c43248c3a08ff10ec423954d

SHA512
177be72d98e0d26b854bd2fb9d8ba32dffa063f12323a891ce9c46eae8fe39554c2ecbfbcc7287069581af2b77e2d24814d3e65c75ec968f4493337c9c85a9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
f60d16c616eaba8956b7bfed14f68fae

SHA1
cf611c0275df397c0664f062768e71db27133d14

SHA256
85ab2673605c1870129a60a97fff9d6caa9d2fa2fa8c4781318a457c0048cee6

SHA512
e3d90cedd34bc921a45015c583af796176bac927978c701eac64822a5631cf57d75eb8b7334a06241d89824e621f8381a7ac5358fc9755f0e2fcf5084ad6bcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
d9ede5716aaa812b8d71d39ac01b3df8

SHA1
c6f332553eeddba04ed1e1ae802132a18da000f6

SHA256
3f675af7936b1eb331ad80478226a080c1b471fd59069290461d4914a36146e8

SHA512
8e43ef570e04cc44efa26b47d93aa6ded9bc2604fecf9c284be3054eddc963bd1725e373b961f56248c9a7db609c27dca757723b45c8a99bd6f14304b4e7cd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
058bdf1e7040604feff295931b5edda9

SHA1
54bf0381375184164c21b12d9c3cc8e042b065d6

SHA256
d8954173b26290e3c9485d5f5378b63349649e5a03c2cafc27bfdffcd960dde8

SHA512
2a979c9610b64953778223225c020fdaa239ad7d61d557a9f117c40daff261179bff43f1f70a8246f766a852cc31a4375d0c255aab90a2ff05bded45d2e9d439

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
869978dcb1834fb1a65eb03c82b446d2

SHA1
32300be21f11372b40c1ad5b63717cefb5378c7c

SHA256
43b97facd67ab9cc9ddb4d08382dff237a9439e7daa17605e1174d9a3f50e4e5

SHA512
fb48c4036d859d2b73911a0269c4762b58ad93de8e97ce2ad49a8e2c10bd4a54272274d1fc64284830f9537356392dffd8c434eb901296b56025788b55796da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
7f401714642b2a51836470fc35cd48b7

SHA1
7acfdd638842282a1cce8f01bb9278445152e1f4

SHA256
98a926a40a89b854a600067a23f376b3fbd881c0a8c76d4a99667035006522e4

SHA512
aaffb444c77cff2e517064c5e44aae4f569dc2f65cf09b8d3e22b175cb0a42bfefae57abc6c3cae9ce848e679cff877cbb2137103799ca37c1fef91d3a96c667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
c3e61065f2cb542f607dad1adc425da8

SHA1
98df9781c2cf3dbf72bf67268668104c6da361fa

SHA256
dda37b12503241791a4199d8373d0c971b9b1424861306b9f75ab9f136ba9c98

SHA512
048d2d09e25315232359a9a05392b5feffeabf8a49a9865665ac790f860b155cc86efda5ba915005919490373b28a160e9b2c9b8720c57e0a9ecac73b3f676cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\[email protected]\install.rdf

Filesize
668B

MD5
4630558ab1f3a8d4bda6e4a17f27d87c

SHA1
ed8b68552138c1ff701416daa8283668485ee04b

SHA256
538fd43af63686354e364384b89e3e1fb7b8c972e54248c1cee1b5ef9055fc5e

SHA512
8e003ef15453c0c8b37796e7c3c24d5763891bf236abce93ac0368753078d6d62dd84e239a3f36dd5c41e63fb4e0b7c592aa62be7ef7163cc82dec7e463b2c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\background.html

Filesize
5KB

MD5
2262fb57c6145bdf37d372d80cd20d91

SHA1
906aaed355f4e850c552ea04c100abb0f117f066

SHA256
d64f1218da3b80480e086f2725a5576dba97cf40e399a04cc9bf84e8cb82e192

SHA512
c5ef9acfcfe0f97914bdc8fb6606b175ec82bb4d127f33bfe11dc027054e9e9d1f5647e7b34db3c17d6dd9329d338d64568883ba8bd95fde72ba5eadd1a9adae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\content.js

Filesize
386B

MD5
3fcec8fa38a822627d4ecf2359868c49

SHA1
490e2ed58feb64ff77c11047ef9345ce99068da7

SHA256
6b866a3fb717c3b73357309c25c0e53060addd3fc529f0662397c869155e8b89

SHA512
a7eac0ae9b1171c02296a1dacbc82bf1d93657d75bcc86cba7041e90d82d177f50e4366e55ffa9246e5f3d7b409e7d24f25ad4eef2dbb1b29a3ba32011a6bbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\eofbacjhgijaljggoohiliegjiiphkog.crx

Filesize
3KB

MD5
b624aed1882259993fa72fcf04465cb3

SHA1
74d4442cab3b2ef99f802de13ba0089be4189f18

SHA256
59669148bdb07b2aeaef7a0e23b22580463759c0f821f3f2433642118ad83e25

SHA512
85bf6d66d5f083e1fa8e0ff5dba29f05ea7f6be6491ceab7bb835afd9bfecd5b1666e1b30f8e1c80e19d6438bbe30cd3edc65ac5d77a31651978af50b01e274f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\settings.ini

Filesize
649B

MD5
09d4939f4454381465bfeb1c90bc5c92

SHA1
fc5440bb1698d9065e7aca0c39dc96ece5303b6c

SHA256
6b19b7ec2de9842b9aa8064d24b6c370ce522a87cf170481353f3373b65c2e21

SHA512
e6727e03cabcb89926d4be3e9c7fc08d1381ee87f9488236352f38db05c5d559254673b5740aca035e1a15f7f3d6dd6ee188f2e259346053659e52b39568aac2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS34B7.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads