e08304b87cffdc8bd60c5f9172479a9ecafd1b134732d9bada046866c59e1bda

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe
Size

313KB
MD5

de9982786c92ba69f98145a7ff065e50
SHA1

3aa66d354410dc5a45d50d7b0ecf685d07e8a499
SHA256

e08304b87cffdc8bd60c5f9172479a9ecafd1b134732d9bada046866c59e1bda
SHA512

20ec64777724635874c537ee54d2e092b2aba852e36988dedc4b3007e6508c2564a7da9d2c76d4310353264ff2e1a42ad3b1d5e2099d6ea846310e972ca7dd41
SSDEEP

6144:91OgDPdkBAFZWjadD4skvU26CFQNGklc2Hdbakl2SaRMaWc6309:91OgLdai26zDJLU/RHhL

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe
2472	setup.exe
2472	setup.exe
2472	setup.exe
2472	setup.exe
2472	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A470545E-A406-AC7A-09FA-6E414D1BC24A}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A470545E-A406-AC7A-09FA-6E414D1BC24A}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\ = "DownloadnSave"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019621-30.dat	nsis_installer_1
behavioral1/files/0x0005000000019621-30.dat	nsis_installer_2
behavioral1/files/0x000500000001a362-99.dat	nsis_installer_1
behavioral1/files/0x000500000001a362-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{A470545E-A406-AC7A-09FA-6E414D1BC24A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\ = "DownloadnSave Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{A470545E-A406-AC7A-09FA-6E414D1BC24A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2472	3040	de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A470545E-A406-AC7A-09FA-6E414D1BC24A} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de9982786c92ba69f98145a7ff065e50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
b7347fcec6178a99e8d2f86791c4422f

SHA1
3cdbfe76e206fce275601f07b328dfa273adc853

SHA256
49b61810ecff0127a82d4d124f1193743933a61a5ae0862e239949ed63892b1d

SHA512
d50109ea7bba8e36141913bd625415cfacaec34d3d2d3acab50db959411ac83f0f44b19e8f823b871413cf05397c1a81b312447ef6aa2306c619c92c0d6c8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
410b15459dfd232fc01d3f1dfdf5f127

SHA1
28d8a1a6dd30aabcefeb098e8d230dfc0e4f00a0

SHA256
65325352fb9d9dab22ac04245c3f466955e0d5894f82537dac3d9fde4475486a

SHA512
2f1d0144e98dfd996b66863c510703f3a6f3c579aba56df86a85107d34fc261eb95fe5870a7ff59f0c8967c28ce9582e46a8c6b07b7fed80a4762a463f3f80fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
aa387feda88d57cdf2c5a56b03cd5e0f

SHA1
15c72ccbb55e414ca15c8dcd6bcae0b6cfa876c7

SHA256
eeb1fb57426168af2dfa666403b1780200759fd7d4d7d49b918ad5b5aaa0d0bb

SHA512
4c7bae5ecafc6f6cd328691ead084b880ec7d0428153dbe2c69983c3b07011502d59a9e213b6e0cf1c92f1d1d65960d18719929d0b4c2768a762b32a7bcec79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
45c5aeb9d1cc89b0604b9b956ca39985

SHA1
c86813d919fcdab9c1ac441444320e61a89123d0

SHA256
09623814da5c4507606a634687dcdc3440de9440cb362c7ed10d2c718b7ba356

SHA512
22b86a7d6e0abd5b166ace8438406def8a8ff467ecb1d1a2cbf88f1c9f8d826939978d38725d300ae7b324689d700753f7541f43f386adaf141b1aafe167c039

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
f55ccf05c8e4d751c6de007278adcb9f

SHA1
ff14d6e17780f81cd234c3538bbe2d19949b2059

SHA256
f703ec4bc26a88926145f55f5a45c01d42aab8f86209f7962a380c11b0d1a5f0

SHA512
3bd55443f642f3619ab06135f1ffd03b0fb581c50de3c445d09383d038c8255221fcb647fa0718dfe1be11a44303e5fb89be2a5a187857f0e455c62dd311bf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
4a3d277b07addc5774247e5b5c2c3208

SHA1
21d1d622be32be87b01bd89e0ccdb45a9671efaa

SHA256
b49c100fb1e2dc94f592fd6518018d3b608d9a9552a78234a75bb85fcb8e45b0

SHA512
721189f9f6caa7763fa8b8c61c0fb457c8e557ffa884a62ca91afe5ae488a99df4d87415d94627ca57ca71a202d0dbb41ba390bec5b6a648addf6adbf6f5ade3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
7fb34b5efffad772dce9f001c9febb7a

SHA1
214390fd0aad09ebe3eba1e052914e60405d7ace

SHA256
cca73f53ec50173ba34940acfce8c16905f9e2963ff6735f8727555816da6310

SHA512
849ce8f3f9b092f46f616d4db8910a67a0465b2790929f768b6ea8c854335b9186b07dd5a1f7fc4579ecd931369f76893145ff033c149341f8138fe767710c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\[email protected]\install.rdf

Filesize
683B

MD5
7f92ce0062c6ca28fa7028a5b38fe121

SHA1
a29acff002fbe7218d142bb0b5bdfca29c60119d

SHA256
d6736091cf2843207f58e1a194cc25e2bd77d6ee98e2bdeecad5f61a4df88296

SHA512
056d478016c98e086ae6adf8d8b33b34d408cb154e082aff3ff3be07c8e50cef2d80428834f51cb56dd2381b204661036b4fbb6e7efa976daaeaa990a1414e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\background.html

Filesize
4KB

MD5
e7cde565ab382286eb5abf63b77052cd

SHA1
4ba3156cba61fa38c7cd5479b242bb98cc4fe0ca

SHA256
1ceb7676f92aaa774296d3759a1a8659c00a49bd443cd3538adf33a0780de6f0

SHA512
18a6904cd2211ddf60980e857ab832078801abe81dc480e5591544bcb3e36f29735c6d97e696f20783a11da25e50c9d8f1c10094a49df01bc9c88b394056a1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\content.js

Filesize
387B

MD5
fb8aa5fdb4dcf1f0a69bbdb5cdc9a8d7

SHA1
21224af1cadff04655ae5856d75b651306716820

SHA256
d157cdbdc2d49ac6760ec81a5613ed390806f009c8ece85a1cc3b16d78ef215e

SHA512
c407fc5a22acabecd4fedd0a016882c8cbeaaa559a2e8954d41e6e82211d0d51ebfb7694cc1314041d472f556854c29ee796ce4a008457fb4103e626039d921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\mkpljbmppdblddgelhglmllafdikflgd.crx

Filesize
37KB

MD5
4aa60e57440bf407fc41ff50074dc198

SHA1
1e1428bfbfbb59258f936f77606aba8c8e51f1be

SHA256
bcc40981f1285ea56e0eccbc0dec665850f7b19f5dcfc8ea3fbea14cd93a385c

SHA512
495119a73de06ca9ca927e1493c8b048513d93e581932eeee547135ca95e6825fe91fc7514c055513dd20c7fc44f57a4e920d2ced63a84696818c5074bf24561

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC561.tmp\settings.ini

Filesize
618B

MD5
0f9e364399f0dabd0582cab86a33e5c6

SHA1
d40f76482f25f0c9db2c9ad0acc80c67c052e881

SHA256
157fe5916655aecc5aec49a350ff1872bc42f319318cb173db3e48086a40fab5

SHA512
e3dc8f1260f5e77e05a4f9ac4471847951a52995f3439d882af4bf4eafeae4cadbcb73781ee341b240ce7eb6aeea9a8ebe64b56c219d27d5621f71a442fada54

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC561.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads