b0a31fa74200fc33b7e3b631985347eacc10e3fe9f8e6cea1ccb2e2b22adb6fa

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe
Size

1.1MB
MD5

5398f96ac4f39759f4f8c0332c46c9e8
SHA1

bf052a3f8cf41d55f37df3abeefe5e2368acd11f
SHA256

b0a31fa74200fc33b7e3b631985347eacc10e3fe9f8e6cea1ccb2e2b22adb6fa
SHA512

20ea544f8d239d56746cc867f568bc1d81d228369511cc432e03a9b8adffd59d3702ebb14567688f672f34de8783bc21e3b7d4aa6e8057753f5086bfa9d7dc31
SSDEEP

24576:h1OYdaOQOBsFEt5hDG0SAMs9jR/jaJnTJdwY68+UhnWb3aQh:h1OshOEt5hDG0SAMs9j8nTJ2Y68hWGQh

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2804	wkM4hz6n.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe
2804	wkM4hz6n.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\egnhmofdiomjooenhnippjcedcpelbnd\1.5\manifest.json	wkM4hz6n.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EC60BFD8-A84D-A023-7097-F9F567A11A90}	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\ = "safe ssaVVe"	wkM4hz6n.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\NoExplorer = "1"	wkM4hz6n.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EC60BFD8-A84D-A023-7097-F9F567A11A90}	wkM4hz6n.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkM4hz6n.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	wkM4hz6n.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EC60BFD8-A84D-A023-7097-F9F567A11A90}	wkM4hz6n.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EC60BFD8-A84D-A023-7097-F9F567A11A90}	wkM4hz6n.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	wkM4hz6n.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	wkM4hz6n.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\VersionIndependentProgID	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saave	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\safe ssaVVe\\Q83m86l.dll"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\InprocServer32\ = "C:\\ProgramData\\safe ssaVVe\\Q83m86l.dll"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\VersionIndependentProgID	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\InprocServer32	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ssAfei.	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saave.1.5\CLSID\ = "{EC60BFD8-A84D-A023-7097-F9F567A11A90}"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\ProgID\ = "ssAfei. saave.1.5"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saave\CLSID\ = "{EC60BFD8-A84D-A023-7097-F9F567A11A90}"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\VersionIndependentProgID\ = "ssAfei. saave"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saave\ = "safe ssaVVe"	wkM4hz6n.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\ProgID	wkM4hz6n.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saave.1.5	wkM4hz6n.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\Programmable	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saave\CLSID	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\ = "safe ssaVVe"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saave\CurVer	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saave\CurVer\ = "ssAfei. saave.1.5"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\Programmable	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\InprocServer32\ThreadingModel = "Apartment"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saave.1.5\CLSID	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\ProgID	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	wkM4hz6n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\Implemented Categories	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\safe ssaVVe"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saave.1.5\ = "safe ssaVVe"	wkM4hz6n.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90}\InprocServer32	wkM4hz6n.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2804	2524	5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	wkM4hz6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EC60BFD8-A84D-A023-7097-F9F567A11A90} = "1"	wkM4hz6n.exe

C:\Users\Admin\AppData\Local\Temp\5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5398f96ac4f39759f4f8c0332c46c9e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\wkM4hz6n.exe
  .\wkM4hz6n.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\2585332227.log

Filesize
3KB

MD5
4b925053cd3edc88ee3c9a0f354ac062

SHA1
13f9070eaec73ef231969b075d37730895dddea5

SHA256
74c58e07ceb5d020d206e2f8a32261213e38d9540069274d1f3319a9bb7cd669

SHA512
c26f366186f9060cb3010d4dc07737a78f6483634142936ef618af1fa05955630ca6e91a084c1d619558e2ac1795f587bd4dad2a47675d1f190d3a51888e3ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\Q83m86l.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\Q83m86l.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\Q83m86l.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\egnhmofdiomjooenhnippjcedcpelbnd\LBq_6YQu.js

Filesize
5KB

MD5
1baeed0f8768e5176d6e5f0c51347ada

SHA1
fdae79f8abce12ce9c4a5c176cc86ca6539779b0

SHA256
d73e01831a303c306c302865f281e5402d51e1ba5dfd3138835be6db6966466c

SHA512
58ddf8124a05979ead2ba67126ea0db573eb5d8371a12b6b1021f627adceda4b032812418ea0934f8b87398070a96a8b7188d2ecbaad08cb99193c560aba0cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\egnhmofdiomjooenhnippjcedcpelbnd\background.html

Filesize
145B

MD5
d5e36b2eb88be71efee629126051b3ca

SHA1
bb762987780d91f5014765cc5ed1342744cfc0df

SHA256
50b66ddd6bd149d233205ef4ab12fcea640de6ca597a26c621f6a050e4983146

SHA512
a0fac84f80b2df5e4718553aa8b8e80ab657c0e4efbc84a758b4312f4d408f65b9a5db4963622ded678835b859d12e6080b7bffb65b9d7e47f8da8ac39b73c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\egnhmofdiomjooenhnippjcedcpelbnd\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\egnhmofdiomjooenhnippjcedcpelbnd\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\egnhmofdiomjooenhnippjcedcpelbnd\manifest.json

Filesize
503B

MD5
3c5c9c6fe2d5a8ad7afe3750172cee0e

SHA1
80f0f73abab12766623bf0ed4ad9ebdc849ae54d

SHA256
b5b667f3afb2af45b6dddaae9988b307cde61157d7607adfed55fca69ae0684e

SHA512
f63bae5027c0acae17a5a785c4ab6233aef6c0c5c8e5e6fdb364f284b6c642a27c0a69009f191cc1d20f1396a5a4b8f389c196511d75cadbbd5051be0d53e334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\egnhmofdiomjooenhnippjcedcpelbnd\sqlite.js

Filesize
1KB

MD5
492481a495dc68ddf95a9aa7542fb0c5

SHA1
a6c6e44c145d4fe51e9a6b08abfde579d4fae49d

SHA256
27b49a62438e137d149b84b9be3a3a78659591ae3cc393d05871fd76497fd38f

SHA512
eb76c8d53b43dfea7d1f723bedfabb1cd6eded6a2d5be86eee6dd754740e23c730124f88ebadc3101f577246073b616782ebe8f79db37da8ad383b666cd203ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\[email protected]\chrome.manifest

Filesize
108B

MD5
8b39bf95bc3a67d667daed42365d1301

SHA1
197e8d8f44283079f09b64d04af0af8ee937d8f9

SHA256
db5302d708eb19cb6d50fee8b9671de591dac1131c532802c7933fa2567475bf

SHA512
ffa2ce26b342a01b3c3b321deb1ea71533dd0073c27f80cd8108ccb1e0f4070d87ed8fa5594a88a835c1eaf1730aa0be4472518f42ef31d51426a5bbac66faca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
578423cfdc2fae9cbf10abb9129f5ed1

SHA1
f81e718f1569504174b25e48fa49d97737c57474

SHA256
d6a2e15bd313092c3089b807ec290624241eefce9be516abd124f36ef98e48b3

SHA512
dbdef2b738e140ba7d67380bc4e30eb97f3b976280d743f89e84bb2eb598f93ca174eb7f1c82691e3ebf6c36d92ac28030596798d3e541b25725f7c26b405e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\[email protected]\install.rdf

Filesize
606B

MD5
670dacf74101f9d05e31c660eeae61eb

SHA1
8b17ef2075f4a4a657ec8a7b1af2a6563f2f9734

SHA256
831842583f041f34796658edc09d37e7cbc2c2ac8403e84e27485af60a6a920a

SHA512
5c4a070b63f39e19b351c445d89521d97a6334feb0e17e810f824b159644803d31c7d64531c47aad4bf3f245d362d0b89a1350d5563ef6c5107c287753e9fbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\wkM4hz6n.dat

Filesize
5KB

MD5
c022ea33dc17f5c602d9855955c75943

SHA1
9cf23cc5b92460f3201a9003ffcfd61a69f64091

SHA256
f8be84c414b5bf19f2a56b8aafeff8f1c04e8b638f0e32801d3e7cde959f99ac

SHA512
3fbc1a633bd5a8fbac9c55b66f745506c32c7227cb1778175ca5fd7d71ce70526e4a1d6cbde23253fae3f945653e5bd1bab8ccde6907f4e994b2ea4fda299c56

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7D1C.tmp\wkM4hz6n.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads