2acd23202ad4dc3bc2473b6fb20e132a0acba4c6ac4fadc80b0e6cd33a6c2d98

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe
Size

257KB
MD5

df5039b8b15831611e6a4df66bbd7f1b
SHA1

b0643896cb4b545e663a21cfaef443d40d8a4e8a
SHA256

2acd23202ad4dc3bc2473b6fb20e132a0acba4c6ac4fadc80b0e6cd33a6c2d98
SHA512

e880d6318ac51b0115c41194f855a55d99f4415878d5247fe674e5e0bd710c53252e6bc65216fe3cd839d924eaf8ac02ac5868e490e004b0903288cc1e10e942
SSDEEP

6144:91OgDPdkBAFZWjadD4sK7GfWX6tekG0BS6fzdX5pSre:91OgLdaZ6f0WS67dXvIe

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\ = "ADDICT-THING"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016d47-22.dat	nsis_installer_1
behavioral1/files/0x0006000000016d47-22.dat	nsis_installer_2
behavioral1/files/0x0005000000018731-82.dat	nsis_installer_1
behavioral1/files/0x0005000000018731-82.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\ProgID\ = "bhoclass.dll.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\ = "ADDICT-THING Class"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "ADDICT-THING"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "ADDICT-THING"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\VersionIndependentProgID\ = "bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30
PID 3000 wrote to memory of 1724	3000	df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{82BBB68F-9D97-AAA9-B8D8-0D53FE1EE897} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df5039b8b15831611e6a4df66bbd7f1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ADDICT-THING\uninstall.exe

Filesize
48KB

MD5
a724dac649142fef71fe4b529684e969

SHA1
e2878e84886ec53a1332ad969a825062526b5cd4

SHA256
b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc

SHA512
9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
f0ded83c97e0190109bc35e59c3a86a3

SHA1
8ba0d099b3ae07ed479f45000f422f78a579254f

SHA256
9301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484

SHA512
6a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
1b99a7f2611af58c6b331568e4737bdf

SHA1
eca1c42d9324d4a849ccbe9a7cec988d0cfa800c

SHA256
ca85ce74329ccb0257a588f946f52a19e391aa637e60830e17eed9bed8e0fa10

SHA512
9af2cfce1cab51bc5496d8eb05d66734d95e1e09631ed3eb05e1626df38d515bd53bdbd73dedb7004e9282e6189cac2094c7d732f20e984035ebf70a4a5cbb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
32adea70bb7bbf9aa5160b7831538b48

SHA1
0365817d4090d0e9bdb4b2d913ea045f171345fe

SHA256
8a196e85aa2770752fe76cc668fa82dc97c435afe61473e79ab9408f8c1e429c

SHA512
f7c7c6e27d414cd6c9674692179219897a4975172554dbcf621542cb26a934805160c70e69034eb2a873dfe7743d0ae0879b24ea22059648b49a930cd57f25ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
7df96246acb3a78b5dcd20c3a9d8a6e5

SHA1
7cf502edb0f5888aafaefcddfed5164b6bb016e8

SHA256
b13ffc6cbbb2deaf321e2bdc6d1f6abeebfed24a2df37dd12746df3a89ebd839

SHA512
5a576950d9ff04751d3b6369288c52e5efe2863f885a30f17f5199f59a5e662e15e690eb31641718e2b14188c20dbef519f4f1099c2eb19313df282f5604d49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\[email protected]\install.rdf

Filesize
714B

MD5
7dac494996221cd4e7710182b196347f

SHA1
053bf23dc8342c3fba98605ecc4a5384ac3cc818

SHA256
8fde14e064f157100a6f8ff135cba4ea589d03558b10db9a88003e46094302f7

SHA512
de7c2cb54a4cf8b2e9504b0638242e0b687795f8de05621c6c249cab270ef6ab9b0a1fbe6b4d4fd6b6192620c1b34afbb1e7109baf231b728c0224b6b91db492

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\background.html

Filesize
4KB

MD5
291c743d8981eb9192e8a57ec4d1dc4c

SHA1
d59288f29537b50d0b48876b615bc4057f906cc0

SHA256
7fe31043d6fa67c4e50c2ff2a6b86ea1b014c25d2073c71ded6e6ef55121345d

SHA512
baf6d285d126fc8669f6f2e9f30e094136e5b5928dd5e015194222335ed60995782d345a696ba1ab592cd2f72d8861765f015a93511b2624541a81d3f40ebe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\bhoclass.dll

Filesize
164KB

MD5
474a025909c75c607905b9e2cae8a56f

SHA1
83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e

SHA256
25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f

SHA512
29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\content.js

Filesize
388B

MD5
230873b3e26beeabab1ad7b1b05a5332

SHA1
25b4fa02de74dc12e3ce01e7e2691911af0e157a

SHA256
47461770edd7107133ee92b610297bc66a8314d8fb909853ee3ae3d389fbd011

SHA512
dae3ad9433caf8185a0514a8b186a6c37a0ee79cf2f2b3e573dcfe8ea028eb324182883ca1670c51ad4cc1cf576abd983809f61adf7ace4caba4b87ca344ddae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\hmfhcdnaajllfgokjmaaconmallcdfpl.crx

Filesize
3KB

MD5
adb067d89f5e1e180182f9286d16c3a0

SHA1
a38796b27f3803d022e9bdc2706cea83af22bcd4

SHA256
c71bf60220dcf93b9d5c4649fed6d248354ba8646badddd18dfb890c8b7d9818

SHA512
f984b93e9b88eab3a0090befcd3bb2eb240e7b3ab9c1707a740a6474e0205f32c0ef7b3ff3c80a46c63f98f1b0c690d668f4ad90c663952a4a8f0d2b41d851e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\settings.ini

Filesize
916B

MD5
ef64680afb1e51e3ba6a60f73120350d

SHA1
e126b97e46011aca336e0f66a24975643bf27e74

SHA256
5dd2239e4b8e6479fad7cb77c88c3f8b7a186147029bd58e93a34954671197c4

SHA512
230e30122f8606e1e71321a0c2d123df4eb7bc92328a4d38f91b24f746bb02a6a883e6c85a09817b77d2b537ea2213e3de67408e0684388772a7c309c1168174

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\setup.exe

Filesize
65KB

MD5
4ccf1a317aa8539c857835e4ebe9c806

SHA1
223b73d09d7398f40aff3ccc569e66cae3886ee9

SHA256
4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

SHA512
ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

Download Submit
\Users\Admin\AppData\Local\Temp\nst9FF8.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads