384917736c885bdc697537088c4fbaf996f8d3ceaa86d9c3e8948b2161a19e87

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe
Size

1.1MB
MD5

5567ea8e3f584be1ea4132fcd448748f
SHA1

85808056c6d847d96f3bc95c700b5598ca1c78ea
SHA256

384917736c885bdc697537088c4fbaf996f8d3ceaa86d9c3e8948b2161a19e87
SHA512

5dc97a4ed5dbd9dc72e73a463ab3d957295348c8e1681a5eb61077c00792aeb89c26b059d30a25546d4e029ef1f1e5cb98c22db491faa15699503584f3aab1e1
SSDEEP

24576:h1OYdaONOBsFEt5hDG0SAMs9jR/jaJnTJdwY68+UhnWb3aQV:h1Os+OEt5hDG0SAMs9j8nTJ2Y68hWGQV

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	c7pTmai8tc.exe

Loads dropped DLL 2 IoCs

pid	Process
2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe
2756	c7pTmai8tc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmgkahihmonpglmdfnhkigcfapjlnpmf\1.0\manifest.json	c7pTmai8tc.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{140FEB46-6A0D-6076-A760-F3D2FD670D58}	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\ = "Search-NewTaob"	c7pTmai8tc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\NoExplorer = "1"	c7pTmai8tc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{140FEB46-6A0D-6076-A760-F3D2FD670D58}	c7pTmai8tc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7pTmai8tc.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	c7pTmai8tc.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	c7pTmai8tc.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{140FEB46-6A0D-6076-A760-F3D2FD670D58}	c7pTmai8tc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{140FEB46-6A0D-6076-A760-F3D2FD670D58}	c7pTmai8tc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab\CurVer	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\VersionIndependentProgID	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	c7pTmai8tc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\InprocServer32	c7pTmai8tc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\ProgID	c7pTmai8tc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\Implemented Categories	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab\CLSID\ = "{140FEB46-6A0D-6076-A760-F3D2FD670D58}"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\InprocServer32\ThreadingModel = "Apartment"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\ProgID\ = "Searcch-NEwTaab.1.0"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\ProgID	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\VersionIndependentProgID\ = "Searcch-NEwTaab"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\InprocServer32\ = "C:\\ProgramData\\Search-NewTaob\\TeCG4_nBO.dll"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab.1.0\CLSID\ = "{140FEB46-6A0D-6076-A760-F3D2FD670D58}"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\Programmable	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Search-NewTaob\\TeCG4_nBO.dll"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab.1.0	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab.1.0\ = "Search-NewTaob"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab\CurVer\ = "Searcch-NEwTaab.1.0"	c7pTmai8tc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\Programmable	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Search-NewTaob"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\ = "Search-NewTaob"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab.1.0\CLSID	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\InprocServer32	c7pTmai8tc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}\VersionIndependentProgID	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab\ = "Search-NewTaob"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58}	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\ProgramData\\Search-NewTaob\\TeCG4_nBO.tlb"	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Searcch-NEwTaab.Searcch-NEwTaab\CLSID	c7pTmai8tc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	c7pTmai8tc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2756	2852	5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	c7pTmai8tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{140FEB46-6A0D-6076-A760-F3D2FD670D58} = "1"	c7pTmai8tc.exe

C:\Users\Admin\AppData\Local\Temp\5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5567ea8e3f584be1ea4132fcd448748f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\c7pTmai8tc.exe
  .\c7pTmai8tc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Search-NewTaob\TeCG4_nBO.dat

Filesize
5KB

MD5
09ec1d506354653144119372314b877d

SHA1
782e8334bbd29e1e582b2d99bbc845582f03e965

SHA256
c63937ffb8086ed09ef66166c08fc2b208106035635b6436b6f2590bd83ecc2d

SHA512
2b43bb4bda26e6b92f7e3e3947b931079014ec2668be1eee368d7543dc3acbcd1bc6be36c8d6f86e6315efcd4847c68ac89fd9d053b34b71277738e15cc7367a

Download Submit
C:\ProgramData\Search-NewTaob\TeCG4_nBO.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\ProgramData\Search-NewTaob\TeCG4_nBO.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\ProgramData\Search-NewTaob\c7pTmai8tc.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\1169636365.log

Filesize
3KB

MD5
96d7fccd552458f8ecd12c0501e78853

SHA1
845acbb52c267a57441258716caa441ccb786bab

SHA256
ba3b452b7382cd44aaf502ab32422ce243c2b7b47599a7aed5ecb2bd78fd4042

SHA512
1b271c42d9d983c7dde1f8ed151e9f29b6a80ddf0001249aa4a7519fbf98129119066d0cddd33e6f523681f0475b1a38589b03133d71691b751e174880f91282

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\TeCG4_nBO.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\FYxfympi6I.js

Filesize
5KB

MD5
dedec630f364bde3de6f84f4137f0629

SHA1
5fa28e3adb3759efbe2e9741d0460d0ab3b1fbe6

SHA256
4a6271afc2be686eb2baeb6cc9b69f4508d0b9058f1f423565fbcca142773c14

SHA512
066ae7ffcba13334b469020b0134ca89e2ecdc7db375afcd53e7cd06dd478e976aea36a474c5984823719f973a5fdf346a151b42a23084f93de7e3576e4b088d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\background.html

Filesize
147B

MD5
ca0dea3edc0ae605cae6b49cdefd209d

SHA1
54beb81b75f2f11698bc71f4f5b46ef009f5067e

SHA256
3804127317f5f69c334edb60d985af597d5b4f500052485dfa4a9380537a364b

SHA512
311cd08fab9081ebe4c7b4bacad1500f810b481622fe368d7a79e7e86b0db86057ebc71ff7675a74c3686eb5632a4228892c4e28c1e36af7cb35658a4638e0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\manifest.json

Filesize
556B

MD5
7586052467c053ccffa1f82e208e768a

SHA1
571754a59f2a792d965104d1ef7a2f1423604bc7

SHA256
ac8efb853dbaf3ca2f68a2d48ad4d11aa8a100c3cf81ca991686674b1f6c6400

SHA512
6360641478ca193f3fad3cec3dd20f8c05fb1f936a374201fe34d6c18f4484fdb4428bd2c9657ebc907cafdf0028009db0286600e11b5844237452762ed51496

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\newtab.html

Filesize
371B

MD5
b2b1167de47776f115ce723e5c0061e4

SHA1
f04ce27941fd4271970edaba7b0cdb7aee67d302

SHA256
b31310da332a22acf5bef68ea02fdc968819c48ef0d0d9671679bfa48ca0d11b

SHA512
fbd5dccf7afc9736532daacb9a2840c2dae1841ea71fe505352a1e27fdbd045dec167c2af3a5f7e8187ab5cddf8a99888eea86fc35f6218cb23dc99c86145427

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C5A.tmp\kmgkahihmonpglmdfnhkigcfapjlnpmf\sqlite.js

Filesize
1KB

MD5
a43588025d14f30d1d082293922423e0

SHA1
bc62940d75f50de87654c225aec81a47a33bc15c

SHA256
661ac7794726ea8f4f76f95b3305d6c7b968804fccf531958fc794d96cc8fbf4

SHA512
2dbcca82db3888b7252c554d430b5430e111844cf2b69a8b451c6b8cbbf9d510a7c13fe84d0989e53e3f9f0d8c66122c6dedad97f75ffb09dcfe1bf2eb732954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.Admin\extensions\staged\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.Admin\extensions\staged\[email protected]\chrome.manifest

Filesize
112B

MD5
87c2127d63360d1b40e56690b752a406

SHA1
7f507856b8cbea188f07260482dde7aa5eb83f89

SHA256
15f9edb8cc92c70ef3e3926e9ed4e42de3cd9438d35cf99478967a9be3137e5f

SHA512
1d5bbec1ce1e9220a23185f0b10a6f5dc1f3841c0eca238d8f3b931213a00aec07a81a6b3b211efb4d785006b9dfbe07b444ed478adbf36c0dea6bfa5e6ab8d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.Admin\extensions\staged\[email protected]\content\bg.js

Filesize
9KB

MD5
1f0a07067165a6574c58320abf99ba6f

SHA1
8badab4d094360d509652594d05bfb7796b8f625

SHA256
25e9ca3a63b46f56f61878b9543ac5439a673ab469e8e5d3b2038c9c0f019d93

SHA512
c5aec2379752acb407b1b553be20b53447f7c23e520a80659a8163b7dc35963a9e46097b2eeab34b9528118e278463cd7474ddd154a5326b1b8c67966ce3215d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.Admin\extensions\staged\[email protected]\install.rdf

Filesize
612B

MD5
9474ccdf453d519e836ae7d9a0080885

SHA1
fed329627ed2f1a1bcc5eae97038b10678e25ba1

SHA256
97e258a0647194f679917991d1154d0b48b3c98fc8a9a7db704b073382c7e11e

SHA512
07a43e34f72dcf66fe8c6c7985aa9fddafd8ade745e8d9f0c6eab4b598a71febe2e3f4391961b33db572563647d9cd3764eff7628d70c15151bd498119dcc8d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads