e09289244a30beb16cb82275f5afb5d089b52ec81cb86a0a9818aab050ff3dd0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 09:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe
Size

313KB
MD5

de2aa3f8f51d1ddce6b734c461bdd526
SHA1

e5381ac6749907cd603fac750a2895ed714fee0d
SHA256

e09289244a30beb16cb82275f5afb5d089b52ec81cb86a0a9818aab050ff3dd0
SHA512

ef49b59dcdd062a146ef6e5944a822a72572dc484258dbf0f2b1d57e3eac2df8c0e062f2d3896739dd6760d53f0a2a2a74f7152b7294073c1a069f54f0802725
SSDEEP

6144:91OgDPdkBAFZWjadD4snTo6TZThm0PSBWZrMclPfq:91OgLdaYHZTc0PRrMwHq

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2892	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe
2892	setup.exe
2892	setup.exe
2892	setup.exe
2892	setup.exe
2892	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C208558-66A7-A037-FC7B-D5778755C2B0}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C208558-66A7-A037-FC7B-D5778755C2B0}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C208558-66A7-A037-FC7B-D5778755C2B0}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C208558-66A7-A037-FC7B-D5778755C2B0}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019533-30.dat	nsis_installer_1
behavioral1/files/0x0005000000019533-30.dat	nsis_installer_2
behavioral1/files/0x0005000000019897-99.dat	nsis_installer_1
behavioral1/files/0x0005000000019897-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{5C208558-66A7-A037-FC7B-D5778755C2B0}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{5C208558-66A7-A037-FC7B-D5778755C2B0}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\ = "wxDfast Class"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0}\ProgID	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2892	2116	de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5C208558-66A7-A037-FC7B-D5778755C2B0} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de2aa3f8f51d1ddce6b734c461bdd526_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
135e0126e126bab5f38b1ae128c05460

SHA1
f9ee4c13c3bcdfd14abbc3edf124fd5c12dd7243

SHA256
6224896583801484050b6c848a9e0383a054dca79d39e452904a1fa37cfa15eb

SHA512
bdd41ef17ec39f7c69ff2e675e6c5a57f6adcb0724396c0e39173d591e0de880b237fc325cf6966c1c12049d4025dae6a2c05064be05d45da5b36e6e5be75e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
c42262488f020e71fdf0a4b1b2dc083c

SHA1
d3b24bb7d76108390a6f079205aae0cef07a4547

SHA256
fc35ef367e53942c1abf11d9c7a76dc7acec7f5571b27b61f5ed4d0c9b80a826

SHA512
a3a5e939128afc2e8179a836833e72ced04a2656cbe7935caea7df1ce94af69e312f56d2304807f7517f1761d7bd7f256053eb7c40b1dce50f55a489ea9a06d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
b532cccaa965c852e6558283feaa3dd3

SHA1
7bd20b8e60735e276b857875797f44172eb248f9

SHA256
67afbe83e40e805471474a19896a64bf8fb4ac7eb20a0953679f8713dfd785c0

SHA512
31dd0b3e4547f1ffb089003c2e1668a30e56202c695a2a0443139a8347ebb8cc3635082aee1680ec9e1231f1832d35f1a5335d512bfc3c876e8ef0090bbccc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
91d0251ed466cdd2a2e9b9c8f7c2ea25

SHA1
11a7bb7aa59a4e7e97015c05c78acc744f757031

SHA256
58219b2fac5d4f2001c386486027fc06492312e895193680ebb72042d761799e

SHA512
2feb26216a8c2ff2fe997170cdb139eadb5ee681e1aead9573db8f459d7d28d2586f78c7a8f7e85214e95f0d3ce0547652639ada8d2012ee777a81f6d9c7ecf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
dc7623d46990c955bd1420ad74a73ad6

SHA1
a094e4a2070c01a82f69925e5eb9d150dc900070

SHA256
9f96a788cbfa42af2a6e9d43f226a3bc982a6e557650c03a8a6a0cfa71b8e0c7

SHA512
e5899a0e9c13db3e2e6d594b66a828919ac4e673e197cccb8ed24160d651ce1bb1cda36e2a20fada7de5e4b6992f13d3ef96519d10c93c0fb632acb000f86723

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
abcc5a50e711ee520b99367ea8678430

SHA1
bbf3e4fc63f51e1058f22cdfb9ecf612ba909793

SHA256
afd18bbfc3b84a38f9ce3ba4ef0132115a0f4312f76f4aff203992b6f4ab1d90

SHA512
ce4d612e4bed9eaaa9abfb8ef99a0eaff342777f2ba1be081e8cdf7c54d464c7944481ee7e1cb40a0f6f270e4dc684d501724a3ee435c1f878cf53476bf52ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
3346fffa91f48a9f415a910a98b2fecc

SHA1
557290d6ebff06e585dd6eb99cd5d7c8884eabff

SHA256
fedbe556052d4b5f3ad1dc2f3844a1545a2debccb754ec17e77dab9e430efe6b

SHA512
f96bad2554572a40a6ccd37d8ae3416b4e448b3c2b9eb97b3d03d0c49e40314300c7c0c75551efe859b3a2cca89f781672558d367b977d1c5b2d6ab4b4b612e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\[email protected]\install.rdf

Filesize
677B

MD5
285750dca37356dc5577d9e1c3f46dec

SHA1
22916b78f01af081fcabb0c2f0dc9a03d5327f6c

SHA256
1c561308eb4418d9b5e1cc1d02f03d89bdae6bdb1ddd5286fac15fbb4248a670

SHA512
952ab3405cae1ea58ece8b147eea5fc1818f036cd2ab9f38184d9641cf4e3bc9b97d20c8b5e70257441c3b92b894f880f0e364d8715c4503d79a8eb6d055d5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\background.html

Filesize
4KB

MD5
e97cdd78501589678cb976d1f3c0d99f

SHA1
f16e520687007106d09d5ad06b13dc5617559dd7

SHA256
34939d23ea888dc84e8eed73fba7035ba6c6e030005635e83b0ed2d75184de10

SHA512
2981c9270f8daabc0a17d7543fa1d371875bf04184476d886a4c774f3a042d79aad1b63b64777350799b1664dbdcacd3d659d73dddc5ff25bad2fab1568363e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\content.js

Filesize
385B

MD5
0bbef154900e63ff2444ef1e5fa932ae

SHA1
f9de4455f3511292a2bde640f78ed401129c2684

SHA256
b7e3baccebd9aba29da134d949852ae41f84a55c4edcd93eee1177846a4b1004

SHA512
a540903ae7ea6c6c2f3bdfd408a7e8edfdde7bc3548a081ace52779b4e76e9a581354a5394ecaf0d49d9e758d9907753beeab870c445a5fefd5849144179748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\lpkacccbhoofjiljgmnbdoampddmegnj.crx

Filesize
37KB

MD5
7038f2a1c9b88ba0d7b87ab532ca152c

SHA1
cd104c3070f2114cfd48facf4398dc3d0184ca29

SHA256
aed1ffc34b9cd987998454cb838dc874043946f843ef6b5e03fb9a7e90ed2b84

SHA512
cba77585cf478f1f441161ef051adf3e3d261ba252cca1472ca53a1870c28d8c76b7f96cb49f07699876349efc425eba4b756edfd68776d94c191aad6cafcb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\settings.ini

Filesize
599B

MD5
e0493dc1e3a972ede53b7ab6b9b66114

SHA1
04f63de72fa2ca581ead57713438423b0768a96c

SHA256
5a5b67448d475750c8ff7cbca9358a95b540de30f26e23d936c150856577d667

SHA512
421d1c2522cce241da93978212b7de1e9d1095f9f2d167a1ff9e66a9f467c4d2bfc4d86fc79b5060936e1a5d0ff02b0bb52ed2b80908aae9a22cb62414313c8d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6A5.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads