Malware Analysis Report

2025-03-15 04:39

Sample ID 241027-1ds5nsshmb
Target 760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118
SHA256 3e15deccb3cf1c7cd91c15d2c95d8c7ee2daf0d950a5bf6b8a0949911fbc13df
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3e15deccb3cf1c7cd91c15d2c95d8c7ee2daf0d950a5bf6b8a0949911fbc13df

Threat Level: Shows suspicious behavior

The file 760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Drops Chrome extension

Checks installed software on the system

Installs/modifies Browser Helper Object

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:32

Reported

2024-10-27 21:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lojldnkagabkoobiokhbfbagodhhhhkk\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.dll" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\BcOol" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID\ = "BcOol.1" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.tlb" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} = "1" C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe

.\51e6037c3d6c8.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\nss9A8B.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\settings.ini

MD5 d2a095c24799f81a1a52853f57862d67
SHA1 c64d922ae86f3c9b83f92e5a25d09746cb3525c0
SHA256 a221e5d1dec3571db475d8d61e854611ce2e6767f89973e5db75b9e08224ad54
SHA512 a9f7c416e8a987dd5a1438201974d996d38a36374f500b4362b9000c41a5c3393f37bb9757058426bb57639d3937e0e66940be90413c1faf7a74b3a29a514d6b

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\bootstrap.js

MD5 9659637d12e8a57a3ae724e03b58181b
SHA1 e6b1f996994db7cdb72d8c034c40926ebd313d73
SHA256 6eb906406e3f590c1d8d53bc808a78f23ac082c73658a64fa351134b583c9a9f
SHA512 64c7fc95a3dbbd49e7154699756553cbc1647ada41023d9537ce744d9cab4d7d2b9245abbdef25a87fe48b63b5f05ee4d410d010550706f83cfc483ace5d3873

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\chrome.manifest

MD5 25e2909418df5810772addf4998f6ac7
SHA1 ef007022028219ad4f0d3391869e734b0e825fd2
SHA256 ff8e5cf03db8492d44b0e7c1d3e5c2f9fce3a89e6cbb2f6925d8d5d90b9473a3
SHA512 e21a5ee407cc32eafcaf37de43d312aadc7c6399309ccd8b50eace80dae7ad8bf868412a4cb2f4507045c03f6fad662278da93e61e030942d6fb686059f93a21

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\install.rdf

MD5 ef5d6c1e96b8eac2b41222e86b450740
SHA1 431019ec98e89fc90c02ec33bfce145015eaafaa
SHA256 e6827faf1c1414bbd9b8a950ba44f7f239ded1330d6165a27b0267e08b77a846
SHA512 1219f7fca1dbd77366ced3b93b705c6cb85ddf5bb623f4d235e0bcefb0bf055f8044e8c8c5d97add680db26c57003cb21baa407517009c006aef1894228bd558

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\content\bg.js

MD5 dbaf32b2cc54a5e2e1786517ec4754a4
SHA1 1c2123bec7f0a7de856213bd35a4994ff87a0627
SHA256 ec04401751e68e8ed61639f46e27f68ba7b61e4760c96d76df70f1b29b11c585
SHA512 51cd6924bf2e2b9a4f52af83297600898fa12b6d534d2bf205189d96b91b8031f47c2f8c3eda2362a94a164c55d5b37358f65140c7fa73343c4773bb7077ea36

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\51e6037c3d4cc0.06557051.js

MD5 e65cdf1bc9035582d3059de76db83313
SHA1 033b13ebd4c96fa337ec0a989ef9fa616900f39c
SHA256 795f4fe0b28983c263a52135557fa3d70742951d8bb952876a922de85c7c80b8
SHA512 43e64fe2b0bbd5d1b0e75167e3792817bb2496ef10c637f4c10e13a81764e0c58b87654b7e6f975fcf4417cc13ba2535291ea2d7391d55e8b96c11da09a76eab

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\background.html

MD5 fdba4a97c94358b00d92606b20dd48ea
SHA1 58a1876aa272f4abca0b3875e1889434b0521921
SHA256 005c118c7ba3108d7221415eb49a465f70d15fe9adfdabc266f6ade7212bb0ad
SHA512 1b441b8571187573d3f1df4d2867f21e0eb649b8c6a307d841cceea1e401a64a5837d069d390c8ed89a783561e3ec01a2b9d255ca66592954d9a7e3b80410cd8

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\sqlite.js

MD5 097adf9f27d83cb08b02f05928a7573b
SHA1 304684455768e55e76dff39a5c6709bc634beb8c
SHA256 4f6da95e422e07e5a3823a7a0c3361d0839de0768f71150d2c461f7eb0202ddd
SHA512 22ab4494b1754613825dfc305cc0116d9353b53ddac6fd1b74ad55260fa2a9bb1744cf4cb388b64ff08cb2857d4b7ce6ade0c88cd841421afc7d5e19ac6ab3ac

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\manifest.json

MD5 231bfa9bd211b3d6dce9b162a0f2f4b4
SHA1 ef7866211077b32b904ef9bfbcbb122c8a463a10
SHA256 56415ef0c0802d8ad0571387b646bcb9d65380b6e1246223149a14e79d1b245a
SHA512 565243c5742df2d342e22647e505044fe220d35d4442bea81ee864714ad60db6ef30158c8b6b5a0f0662d8b1e9591f8dcdeeb1eb4315757d60bce05bcee09f2b

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\nss9A8B.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/3912-73-0x0000000074B90000-0x0000000074B9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d701.dll

MD5 05234975b085632d70d89c2f420c5107
SHA1 078fb2a3e5de54c3737a4541242a4725c02c6b9c
SHA256 a758ad4fdc8949ea005258075457a972eb0672d69d98d688117b85221fca096a
SHA512 f9fa6aee142e32875127feadebbe235f4f376b0c3b7415036b8afc81c0a09a8ba0c5ec9e1703f1a34b220b7646caa1ca02629918185c4afbafe6926014044c4e

C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d701.tlb

MD5 c1e296ff01d3cf37f91c7473bdd9de52
SHA1 832e3d1ddeb5a0ceb5b13c1ee271eb94bf9bf2a6
SHA256 a8e54ad3e1fbc91d5a7b02bf177a24a02f2558419ce46859bf15859b81478492
SHA512 aeb1f3962746caa3858c27b4753959d5ec9db2727e94642d5db2710633a96e7ceef5f9c0ff3b358f83143b6594459b5d9a94e095fed7a5d1fa97ae6a3c4e564c

C:\ProgramData\BcOol\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:32

Reported

2024-10-27 21:36

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lojldnkagabkoobiokhbfbagodhhhhkk\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID\ = "BcOol.1" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.tlb" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.dll" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\BcOol" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} = "1" C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe

.\51e6037c3d6c8.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\settings.ini

MD5 d2a095c24799f81a1a52853f57862d67
SHA1 c64d922ae86f3c9b83f92e5a25d09746cb3525c0
SHA256 a221e5d1dec3571db475d8d61e854611ce2e6767f89973e5db75b9e08224ad54
SHA512 a9f7c416e8a987dd5a1438201974d996d38a36374f500b4362b9000c41a5c3393f37bb9757058426bb57639d3937e0e66940be90413c1faf7a74b3a29a514d6b

\Users\Admin\AppData\Local\Temp\nsd9454.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\chrome.manifest

MD5 25e2909418df5810772addf4998f6ac7
SHA1 ef007022028219ad4f0d3391869e734b0e825fd2
SHA256 ff8e5cf03db8492d44b0e7c1d3e5c2f9fce3a89e6cbb2f6925d8d5d90b9473a3
SHA512 e21a5ee407cc32eafcaf37de43d312aadc7c6399309ccd8b50eace80dae7ad8bf868412a4cb2f4507045c03f6fad662278da93e61e030942d6fb686059f93a21

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\bootstrap.js

MD5 9659637d12e8a57a3ae724e03b58181b
SHA1 e6b1f996994db7cdb72d8c034c40926ebd313d73
SHA256 6eb906406e3f590c1d8d53bc808a78f23ac082c73658a64fa351134b583c9a9f
SHA512 64c7fc95a3dbbd49e7154699756553cbc1647ada41023d9537ce744d9cab4d7d2b9245abbdef25a87fe48b63b5f05ee4d410d010550706f83cfc483ace5d3873

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\install.rdf

MD5 ef5d6c1e96b8eac2b41222e86b450740
SHA1 431019ec98e89fc90c02ec33bfce145015eaafaa
SHA256 e6827faf1c1414bbd9b8a950ba44f7f239ded1330d6165a27b0267e08b77a846
SHA512 1219f7fca1dbd77366ced3b93b705c6cb85ddf5bb623f4d235e0bcefb0bf055f8044e8c8c5d97add680db26c57003cb21baa407517009c006aef1894228bd558

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\content\bg.js

MD5 dbaf32b2cc54a5e2e1786517ec4754a4
SHA1 1c2123bec7f0a7de856213bd35a4994ff87a0627
SHA256 ec04401751e68e8ed61639f46e27f68ba7b61e4760c96d76df70f1b29b11c585
SHA512 51cd6924bf2e2b9a4f52af83297600898fa12b6d534d2bf205189d96b91b8031f47c2f8c3eda2362a94a164c55d5b37358f65140c7fa73343c4773bb7077ea36

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\background.html

MD5 fdba4a97c94358b00d92606b20dd48ea
SHA1 58a1876aa272f4abca0b3875e1889434b0521921
SHA256 005c118c7ba3108d7221415eb49a465f70d15fe9adfdabc266f6ade7212bb0ad
SHA512 1b441b8571187573d3f1df4d2867f21e0eb649b8c6a307d841cceea1e401a64a5837d069d390c8ed89a783561e3ec01a2b9d255ca66592954d9a7e3b80410cd8

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\51e6037c3d4cc0.06557051.js

MD5 e65cdf1bc9035582d3059de76db83313
SHA1 033b13ebd4c96fa337ec0a989ef9fa616900f39c
SHA256 795f4fe0b28983c263a52135557fa3d70742951d8bb952876a922de85c7c80b8
SHA512 43e64fe2b0bbd5d1b0e75167e3792817bb2496ef10c637f4c10e13a81764e0c58b87654b7e6f975fcf4417cc13ba2535291ea2d7391d55e8b96c11da09a76eab

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\manifest.json

MD5 231bfa9bd211b3d6dce9b162a0f2f4b4
SHA1 ef7866211077b32b904ef9bfbcbb122c8a463a10
SHA256 56415ef0c0802d8ad0571387b646bcb9d65380b6e1246223149a14e79d1b245a
SHA512 565243c5742df2d342e22647e505044fe220d35d4442bea81ee864714ad60db6ef30158c8b6b5a0f0662d8b1e9591f8dcdeeb1eb4315757d60bce05bcee09f2b

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\sqlite.js

MD5 097adf9f27d83cb08b02f05928a7573b
SHA1 304684455768e55e76dff39a5c6709bc634beb8c
SHA256 4f6da95e422e07e5a3823a7a0c3361d0839de0768f71150d2c461f7eb0202ddd
SHA512 22ab4494b1754613825dfc305cc0116d9353b53ddac6fd1b74ad55260fa2a9bb1744cf4cb388b64ff08cb2857d4b7ce6ade0c88cd841421afc7d5e19ac6ab3ac

\Users\Admin\AppData\Local\Temp\nsd9454.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/2704-75-0x0000000074F90000-0x0000000074F9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d701.dll

MD5 05234975b085632d70d89c2f420c5107
SHA1 078fb2a3e5de54c3737a4541242a4725c02c6b9c
SHA256 a758ad4fdc8949ea005258075457a972eb0672d69d98d688117b85221fca096a
SHA512 f9fa6aee142e32875127feadebbe235f4f376b0c3b7415036b8afc81c0a09a8ba0c5ec9e1703f1a34b220b7646caa1ca02629918185c4afbafe6926014044c4e

C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d701.tlb

MD5 c1e296ff01d3cf37f91c7473bdd9de52
SHA1 832e3d1ddeb5a0ceb5b13c1ee271eb94bf9bf2a6
SHA256 a8e54ad3e1fbc91d5a7b02bf177a24a02f2558419ce46859bf15859b81478492
SHA512 aeb1f3962746caa3858c27b4753959d5ec9db2727e94642d5db2710633a96e7ceef5f9c0ff3b358f83143b6594459b5d9a94e095fed7a5d1fa97ae6a3c4e564c

C:\ProgramData\BcOol\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935