6faec50814b8033ec80ee052b4375de45ad0e77792e3d46bbde31335882947c7

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe
Size

551KB
MD5

0a6750cd731443871a533bfc383d9fc3
SHA1

d6b519ed4594bcff6813254d0dd17ae2a6003d29
SHA256

6faec50814b8033ec80ee052b4375de45ad0e77792e3d46bbde31335882947c7
SHA512

05157df7196ca13af3e515a29f4aaf2eaa810d3fac86c9009f83c6102d06a1cf2c0b6e2e1b95d333715f4e6ad38829df87dd1d510a657944392f1beba4dfaa69
SSDEEP

12288:h1OgLdaOdWctn+MEfOUgbJuMmFcouJqkT:h1OYdaOdtMOUgJHJJqkT

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
3076	regsvr32.exe
3076	regsvr32.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcaampaiodjdkebfgecjjhabdajppljp\1.5\manifest.json	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\ = "saffe save"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\save.1.5\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\save.1.5	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\save\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\save\CLSID\ = "{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\save	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\ = "saffe save"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\safe	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\save.1.5\ = "saffe save"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\save.safe	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\save\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\save\ = "saffe save"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\saffe save\\UpbSf.tlb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\save\CurVer\ = "safe save.1.5"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\InprocServer32\ = "C:\\ProgramData\\saffe save\\UpbSf.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\saffe save"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\VersionIndependentProgID\ = "safe save"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\save.1.5\CLSID\ = "{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\ProgID\ = "safe save.1.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19EDB4F0-DBB3-FD0E-C4A6-CC16FD304D05}\Programmable	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3076	2300	0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe	82
PID 2300 wrote to memory of 3076	2300	0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe	82
PID 2300 wrote to memory of 3076	2300	0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a6750cd731443871a533bfc383d9fc3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /n /s /i:"" veY0t.dll
  2⤵
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\Preferences.C__Users_Admin_AppData_Local_Google_Chrome_User Data_Default_Preferences

Filesize
7KB

MD5
46fecf473acb5d7640809d98ca6375dd

SHA1
47d60f3ecb1803baede411a9cf0391100c666fd9

SHA256
bac4a17aa7c639c426a3407ea8a8b464cc3e8163c9b7ed18d583a49aaab7d8b4

SHA512
8e8d0305aeb23d6b874d1ddbe3b41a3a6b583dc78089a522f149372d8003bef63b67e404b2120c814491f10b4e4f2daca057f1f8016466dfc441de22e0327d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\UpbSf.dll

Filesize
180KB

MD5
0e093772550eb9541dd715c016b5584a

SHA1
20338dc859a5652f5661280dc508f4e5b533e76d

SHA256
028999304f35f7a6fc2cf6e360d4ea587612d63ce191fa979cc98ccca46ab149

SHA512
0030b395e2fde6bc9f70f52e71d8e87d306cff8afd2acbad725c4cc92b6d7916a38c1d6d156feaec841966492d32394982ef51989e2b8673d7c00e103f744dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\UpbSf.tlb

Filesize
2KB

MD5
48e9706fe9f76731f3576122fc3e9e33

SHA1
387c8c4898ead8ace488a7df80fead429eaf167b

SHA256
7bad79916803a14ca817e5c39f5ec2f0f240044d6dc24fb4916c8fda338060f1

SHA512
e9b44a2b1b7a806066182a084ec9df81916fc6db79710256e173377e7cd64a732c006830bbe324a9a734731ecde8b8251cfa995399f6d4df5322faff99c458b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
b04bdd2cda8fb71b819ee13142b47e6d

SHA1
e928c826a08d822a8a0355bafa54266b92d5a9a3

SHA256
d70a1cffaef0b6026aa5d9a249a4953846b7697a59b492f569d1962dd4ef7ebb

SHA512
92abefa5ec90513b0270da74cdef765a0b63328fc837b58dfd2e47ff1ffc17c6239b0bb9e03c1f84fca47c7da2cee72c44baa361b2f660817c2c0bb10065aa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\[email protected]\chrome.manifest

Filesize
104B

MD5
7e94c01b9af7891c84d36d4c0d9ceffe

SHA1
0d5cbebfd2df6d9a521233729b9035ac0e7b955d

SHA256
7d05115270df2bf330faadb162ac4f20c98f9961b18b3d06186ee41fa6ed5a6e

SHA512
d784ac19aa80211c6bf7105bb85f86bf179e0adb110f8739703180ac86d1e813129f5395a24f321ac87d065bb67a6c3f719d03bb6d28bebd69cf9558ecd215db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
83819c8e743e768d6437064413ae530b

SHA1
8c1c120139a5bca2849b416a7c69b0a4844a4f35

SHA256
ac91b1349524d59841fced8c96a81c7b5c33b0b3ff7957759754efbeaa2a037a

SHA512
043fb07d612f18a8eafcd1ba51ea7aa684b089d7afa2dc0f194b78d86d6b672f63f8dcccfb22958413a15c40f6f6684b2468ae1c69a35de27feb24f3c697cc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\[email protected]\install.rdf

Filesize
604B

MD5
e906888821750d55f728d4744a3ad7c1

SHA1
1e35bc8c6de7fbaa8110c7d4fb0670670ab2dbd0

SHA256
734d3888546bf4afc18519cd2c2eda38f7968f963905789d577a0648492b6b64

SHA512
06b1dc210e210cccc21e5300d81420207963fc38d211ce646eaeb830033e2a3140c3904553b8e33e3e7680ebca10d278690b0c6c47a9840573b81f4b4f5e5706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\jcaampaiodjdkebfgecjjhabdajppljp\background.html

Filesize
143B

MD5
d8b2288d29cef64cc876f3277e73882b

SHA1
9bf3f25dc53e6c6f4d90aa898935737a3b49c800

SHA256
7ea69cfa7a1d850b9184b387cfa754db2015f79dcb5064ca55dadc9de847a64c

SHA512
ee20a8b26683377a25ccccdf3166e6258c5cea280dd8999d419328b0c84d1f846d691929689686e66aba17560b80d0d8a71df089585dabfa0a18215cd6f3d19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\jcaampaiodjdkebfgecjjhabdajppljp\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\jcaampaiodjdkebfgecjjhabdajppljp\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\jcaampaiodjdkebfgecjjhabdajppljp\manifest.json

Filesize
503B

MD5
ee25711f1099ce510431aba9a574a7bc

SHA1
20721202be51204a4924bc0fd2cc94aec6346aaa

SHA256
b8b4bcf426a8b843cb1582c64e64d10895f8d6b50fd567f67bec0d949f343a85

SHA512
e3044f617a1f487405f0c69f5909707f4174b97ac5f2ae260ffbc876a80b96d573f87e3aaeee384cecdb490be049bcb6fb6ad9bfda32adf6950a99fe63287165

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\jcaampaiodjdkebfgecjjhabdajppljp\qo_zhv.js

Filesize
5KB

MD5
6e6b8ca757930b0279c9067bbbc7a5a6

SHA1
38ae6929b6770119035a8f3e221c753ffe49c7a4

SHA256
7581e44da216739c91acccfa6d853415df86da9d0433c129b39dbcdd72669924

SHA512
85ca213a0d021f901f932aaf3b0c103eb39ac8550b9fa9182717b539f8fdac17726400766b8ab01f081004d1803712e3e637f913af23183fb134ae221fe82d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\jcaampaiodjdkebfgecjjhabdajppljp\sqlite.js

Filesize
1KB

MD5
12bc0b1b851385f1e211c4117da2ba70

SHA1
df51a875a0870b7e703a3164869720e120a10ae2

SHA256
65d1fd37b3d9bdfa96d194874f39a868b8b3ff86c1e3da6decb8e312a19126dd

SHA512
35a9a5c4d41d6ce28aac60cbed1bba17ac41e6f707888d6ebccba1b6b52037daa437c6391529db504771c7c2e00e761885b2c779aaae36c3f96f6c5fcea25eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\settings.ini

Filesize
7KB

MD5
9f55692d8136a53f7537ce40ca8ae2dc

SHA1
52ddb5742d01d45b011f7e88b3d2ac591fe54eca

SHA256
600a4f595fd0a6944688a5cb052f41af602198c9c6db8162c741a0e86b919501

SHA512
3aefc99d23735c550605357c69ba2c75f9bc4e83434035e6b1de54a3c76351cdc85505303f315f301d9b7d48a969b377b7b012d2326779d385d77a1f273642db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS807A.tmp\veY0t.dll

Filesize
203KB

MD5
41b13b132cb601ecc466654b90296353

SHA1
245258ddccb48826f22d57444f49fa30be1b36fd

SHA256
7fa4bb68c313e1090587a64b90e87bdcbc14ea3fb7c0e8cff94c657c969b70bf

SHA512
0e8de7bbe3695848e299fe3f3506f2e982a60cf0a0dd11cde86de4af67ef3c7b46458680d7bad9cedaa266ea33cb2e77f2aa83fcf1bdd20bf31d1936f2bd69a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads