ffb5becce9a62f444543ed2d0dc5ba8356ddb1c8085af1c9b92b456337c5a796

Analysis

max time kernel
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe
Size

1.2MB
MD5

25ee56a83e55e01ab94c98b1512fbb67
SHA1

2906f58b6428450c7e17d44cc7ea5a97c7eca527
SHA256

ffb5becce9a62f444543ed2d0dc5ba8356ddb1c8085af1c9b92b456337c5a796
SHA512

57ea47ad0a46104f22e19eb20da3f758b2f2a4f61a72f664290dca006ea4d8d72c2e9e76618da695ae5653aecf3bc0f4cacee36efaef8ae7c5b55191f3f6b836
SSDEEP

24576:h1OYdaObIEMNRZbkXIyx0jPohfjOyBu9hyHH8+UhnWb3aQ7:h1OsSEMNRZbkXIyx0jPKJuvyHH8hWGQ7

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
3992	If.exe

Loads dropped DLL 3 IoCs

pid	Process
3992	If.exe
1340	regsvr32.exe
2744	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fadkibickdkhbjkcaihapdohdallcojl\4.0\manifest.json	If.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\ = "BeeMp3"	If.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\NoExplorer = "1"	If.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\ = "BeeMp3"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BeeMp3\u.x64.dll	If.exe
File opened for modification	C:\Program Files (x86)\BeeMp3\u.x64.dll	If.exe
File created	C:\Program Files (x86)\BeeMp3\u.dll	If.exe
File opened for modification	C:\Program Files (x86)\BeeMp3\u.dll	If.exe
File created	C:\Program Files (x86)\BeeMp3\u.tlb	If.exe
File opened for modification	C:\Program Files (x86)\BeeMp3\u.tlb	If.exe
File created	C:\Program Files (x86)\BeeMp3\u.dat	If.exe
File opened for modification	C:\Program Files (x86)\BeeMp3\u.dat	If.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	If.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	If.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	If.exe
Key deleted	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	If.exe
Key deleted	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	If.exe
Key deleted	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\Implemented Categories	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3.4.0\CLSID	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	If.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\Programmable	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3.4.0\ = "BeeMp3"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\VersionIndependentProgID\ = "BeeMp3"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\Programmable	If.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\ProgID	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\BeeMp3\\u.tlb"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3\CLSID\ = "{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\BeeMp3\\u.dll"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3\CLSID\ = "{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\VersionIndependentProgID\ = "BeeMp3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\InprocServer32\ = "C:\\Program Files (x86)\\BeeMp3\\u.dll"	If.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3\CurVer\ = "BeeMp3.4.0"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3\CurVer	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3\CLSID	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3.4.0\ = "BeeMp3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3.4.0\CLSID\ = "{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3.4.0	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3\ = "BeeMp3"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\VersionIndependentProgID	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\InprocServer32\ThreadingModel = "Apartment"	If.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\InprocServer32	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeeMp3.BeeMp3.4.0\CLSID\ = "{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\BeeMp3\\u.tlb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	If.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F}\VersionIndependentProgID	If.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	If.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3992	3348	25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe	84
PID 3348 wrote to memory of 3992	3348	25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe	84
PID 3348 wrote to memory of 3992	3348	25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe	84
PID 3992 wrote to memory of 1340	3992	If.exe	86
PID 3992 wrote to memory of 1340	3992	If.exe	86
PID 3992 wrote to memory of 1340	3992	If.exe	86
PID 1340 wrote to memory of 2744	1340	regsvr32.exe	87
PID 1340 wrote to memory of 2744	1340	regsvr32.exe	87

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{78C8C26A-9BB7-6BE1-A3EB-34ACC509F92F} = "1"	If.exe

C:\Users\Admin\AppData\Local\Temp\25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25ee56a83e55e01ab94c98b1512fbb67_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\If.exe
  .\If.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3992
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BeeMp3\u.x64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BeeMp3\u.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\If.dat

Filesize
5KB

MD5
0fb71a74dee74c673a1a8dac5fe6cad9

SHA1
63ee2e50a7892572f9869a9ed705a1fd6e8a486b

SHA256
1d71d94dd3711ff050aeaa7da36c963a562ad54e38576986d9b2590568543255

SHA512
f791ae5eea4efcc2261204eda171291f42e6757a402436c9ded5c0a8d69c02018fe4f81d7ef01fe6afd7d5afc66534ab1e5dd51e5c0fbb3081b11de7f8de3142

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\If.exe

Filesize
470KB

MD5
297c46f413d3c5c5b46e335adf199c09

SHA1
2315be5c129efe4fac36850b225ca2ebeec196ae

SHA256
edb17bd5a6416faeb179d4b72d8f91aaf1c21bf7001fd40f2d1947b90d636a1f

SHA512
6302b38cfcccc45545baad1cfa849700df61b20bce351f2b1f8eb94b21187718ccd080720cc2cfec6122c870b33b914e2f0deb7aa8cee1cc9efd476dbb71b0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\background.html

Filesize
139B

MD5
fcf808e0ef26138142a20bdbe2971495

SHA1
17abce828e57239b226b3cb88b875b8a9489a0c7

SHA256
72a5ba3ab9dd368d537771d7dab1d775be6049936b63fcf39cd72f5762f14deb

SHA512
bf2b1cf77b0c0e6ef87f511f25264ec9c762029685339132d9eceb901911bf8a23c8cf4f034d2eecf48f30404cc931d620c8308175dcb9e8b2d4b1a35fe18753

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\icon.png

Filesize
28KB

MD5
a111255498af23b7151dec69c518d8be

SHA1
99624bcd9d580755bd02dcfbbf98bbf58f188d67

SHA256
e1969c4616841928dcd4cce03821b76ee84718360e015f40aced5752bfc4c772

SHA512
38416b052bf4a57163094b53d5de020e7efff3a46f47ec9547de1b943684914aac71f865227c2e8db36ee6d668ac2b783cd790b30247d86d78398eae838cfe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\mE.js

Filesize
4KB

MD5
7962dc56d779279a704ac2a414086e15

SHA1
9c7e22e9d6cda7ef53aed9e2e06bee9f69520a0f

SHA256
53dd0a7242f82b2c2d360f2f087c49c2b8db4564e51d17f1bab59d267f2f1370

SHA512
19f8802692a14db0a53ae34d31a6cc269f909366cee56b4052cf230146e12291f49e7895c6ad59d7824674924458a7185226609b8e9371a83f5e9c953740b970

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\manifest.json

Filesize
576B

MD5
0a6e05e7d39440361940936334d857b8

SHA1
52b88b633348ac1f9f3600d376e397e25611ddc1

SHA256
c11776b2fe2ca3c34110468555de9040ddd46da4aa1a0588d05ad1fdd3f90eb2

SHA512
150bff02f09d31c685319f1c6813573f583f14fddc6c65c367cfb10d4baac149c257141b9faa8e46035b6418fa1ea3386c718d5fb1d43162c667cd553db684b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\popup.html

Filesize
327B

MD5
66e880d9c45d21f3439a6be6a51daa8d

SHA1
a1e1cef249090391194a8d7a4fbc5d7dfb714ebd

SHA256
fe7ff90b3b85ec91d81e338198ddcb9d8d85f3ddbb45d51b0aa73c86e6666b79

SHA512
22b320b17187ec81003a628dba19602e351785fc6e678ed83e48780f890f40393e8a23be83ae603db7d999f66f9b7d6ae9de40875a2f05f04ea97cf546910b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\fadkibickdkhbjkcaihapdohdallcojl\sqlite.js

Filesize
1KB

MD5
05b69d586ace9762b7319d575a862342

SHA1
8ae4d2d5cfa92e7fcdee8385d4015081a748ccc9

SHA256
683eac1bc2496165bd8d00e73dad3cacd4c114718612b5dc146d18b4a43c3f60

SHA512
011d8c9d32ce734bb650be46717c2a0ec163d69ba5584c68fa1a7ef6a5f42adaad55d444c832e3180e3f1eba487bcea2ace70f7573283249db24aa67d656d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\[email protected]\chrome.manifest

Filesize
96B

MD5
bba82d7a9faab7f6753460b05e85e3af

SHA1
fe8c4a332be4c266680d5ba07de32aafebec4ebc

SHA256
3a547ab3bc49c9eb9a5d72030f26a581a7a7e768f4f1447fee60aa0436872766

SHA512
0ebac241e7e7ef687d8887457652763978e4c039ee62320a63b0742d2239f560729d48c9a5bc05623b181d51bf8f612fd2dcb741bbcbb3b00a5c2ccf756ed664

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
517a705ffe63fb60f1c9f796e096a751

SHA1
5e8bd2a1ff7de2cba7bb501870b873ef43171393

SHA256
da8975fabd3f04789b2c60a4edb00a71e81901339a1e517651e74c4049bf42c0

SHA512
b108ef9af3a8364c56b9b59ece29032c3b95a819bc0549ce823d40901ba1106c52fa0ba686c50487f28f5126fc163f8edfcf5a688b47d14c594a071299b0efb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\[email protected]\install.rdf

Filesize
601B

MD5
6f5029b373ac652ab23fc20e94b7fd61

SHA1
98fd9f3733d3a0250f53ef73907dee6976d63884

SHA256
66149633282433a3633aff52e6e2613d14d76b4d506e4735c8a7b2c2f1230cc4

SHA512
d51f1f4180463263b0b5dc63a0cfe846ee98c10d9a42a11cbedf89be817d17aabc263d70ca80c35069c2839d8b3ccbffe7eee7a7731ae1c86e18b2e993ad6353

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\u.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\u.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7271.tmp\u.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads