Analysis Overview
SHA256
3e15deccb3cf1c7cd91c15d2c95d8c7ee2daf0d950a5bf6b8a0949911fbc13df
Threat Level: Shows suspicious behavior
The file 760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Drops Chrome extension
Checks installed software on the system
Installs/modifies Browser Helper Object
UPX packed file
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
NSIS installer
Suspicious use of WriteProcessMemory
Modifies registry class
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:32
Reported
2024-10-27 21:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lojldnkagabkoobiokhbfbagodhhhhkk\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\BcOol" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID\ = "BcOol.1" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3208 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe |
| PID 3208 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe |
| PID 3208 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe
.\51e6037c3d6c8.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d6c8.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\nss9A8B.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\settings.ini
| MD5 | d2a095c24799f81a1a52853f57862d67 |
| SHA1 | c64d922ae86f3c9b83f92e5a25d09746cb3525c0 |
| SHA256 | a221e5d1dec3571db475d8d61e854611ce2e6767f89973e5db75b9e08224ad54 |
| SHA512 | a9f7c416e8a987dd5a1438201974d996d38a36374f500b4362b9000c41a5c3393f37bb9757058426bb57639d3937e0e66940be90413c1faf7a74b3a29a514d6b |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\bootstrap.js
| MD5 | 9659637d12e8a57a3ae724e03b58181b |
| SHA1 | e6b1f996994db7cdb72d8c034c40926ebd313d73 |
| SHA256 | 6eb906406e3f590c1d8d53bc808a78f23ac082c73658a64fa351134b583c9a9f |
| SHA512 | 64c7fc95a3dbbd49e7154699756553cbc1647ada41023d9537ce744d9cab4d7d2b9245abbdef25a87fe48b63b5f05ee4d410d010550706f83cfc483ace5d3873 |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\chrome.manifest
| MD5 | 25e2909418df5810772addf4998f6ac7 |
| SHA1 | ef007022028219ad4f0d3391869e734b0e825fd2 |
| SHA256 | ff8e5cf03db8492d44b0e7c1d3e5c2f9fce3a89e6cbb2f6925d8d5d90b9473a3 |
| SHA512 | e21a5ee407cc32eafcaf37de43d312aadc7c6399309ccd8b50eace80dae7ad8bf868412a4cb2f4507045c03f6fad662278da93e61e030942d6fb686059f93a21 |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\install.rdf
| MD5 | ef5d6c1e96b8eac2b41222e86b450740 |
| SHA1 | 431019ec98e89fc90c02ec33bfce145015eaafaa |
| SHA256 | e6827faf1c1414bbd9b8a950ba44f7f239ded1330d6165a27b0267e08b77a846 |
| SHA512 | 1219f7fca1dbd77366ced3b93b705c6cb85ddf5bb623f4d235e0bcefb0bf055f8044e8c8c5d97add680db26c57003cb21baa407517009c006aef1894228bd558 |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\[email protected]\content\bg.js
| MD5 | dbaf32b2cc54a5e2e1786517ec4754a4 |
| SHA1 | 1c2123bec7f0a7de856213bd35a4994ff87a0627 |
| SHA256 | ec04401751e68e8ed61639f46e27f68ba7b61e4760c96d76df70f1b29b11c585 |
| SHA512 | 51cd6924bf2e2b9a4f52af83297600898fa12b6d534d2bf205189d96b91b8031f47c2f8c3eda2362a94a164c55d5b37358f65140c7fa73343c4773bb7077ea36 |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\51e6037c3d4cc0.06557051.js
| MD5 | e65cdf1bc9035582d3059de76db83313 |
| SHA1 | 033b13ebd4c96fa337ec0a989ef9fa616900f39c |
| SHA256 | 795f4fe0b28983c263a52135557fa3d70742951d8bb952876a922de85c7c80b8 |
| SHA512 | 43e64fe2b0bbd5d1b0e75167e3792817bb2496ef10c637f4c10e13a81764e0c58b87654b7e6f975fcf4417cc13ba2535291ea2d7391d55e8b96c11da09a76eab |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\background.html
| MD5 | fdba4a97c94358b00d92606b20dd48ea |
| SHA1 | 58a1876aa272f4abca0b3875e1889434b0521921 |
| SHA256 | 005c118c7ba3108d7221415eb49a465f70d15fe9adfdabc266f6ade7212bb0ad |
| SHA512 | 1b441b8571187573d3f1df4d2867f21e0eb649b8c6a307d841cceea1e401a64a5837d069d390c8ed89a783561e3ec01a2b9d255ca66592954d9a7e3b80410cd8 |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\sqlite.js
| MD5 | 097adf9f27d83cb08b02f05928a7573b |
| SHA1 | 304684455768e55e76dff39a5c6709bc634beb8c |
| SHA256 | 4f6da95e422e07e5a3823a7a0c3361d0839de0768f71150d2c461f7eb0202ddd |
| SHA512 | 22ab4494b1754613825dfc305cc0116d9353b53ddac6fd1b74ad55260fa2a9bb1744cf4cb388b64ff08cb2857d4b7ce6ade0c88cd841421afc7d5e19ac6ab3ac |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\manifest.json
| MD5 | 231bfa9bd211b3d6dce9b162a0f2f4b4 |
| SHA1 | ef7866211077b32b904ef9bfbcbb122c8a463a10 |
| SHA256 | 56415ef0c0802d8ad0571387b646bcb9d65380b6e1246223149a14e79d1b245a |
| SHA512 | 565243c5742df2d342e22647e505044fe220d35d4442bea81ee864714ad60db6ef30158c8b6b5a0f0662d8b1e9591f8dcdeeb1eb4315757d60bce05bcee09f2b |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\nss9A8B.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
memory/3912-73-0x0000000074B90000-0x0000000074B9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d701.dll
| MD5 | 05234975b085632d70d89c2f420c5107 |
| SHA1 | 078fb2a3e5de54c3737a4541242a4725c02c6b9c |
| SHA256 | a758ad4fdc8949ea005258075457a972eb0672d69d98d688117b85221fca096a |
| SHA512 | f9fa6aee142e32875127feadebbe235f4f376b0c3b7415036b8afc81c0a09a8ba0c5ec9e1703f1a34b220b7646caa1ca02629918185c4afbafe6926014044c4e |
C:\Users\Admin\AppData\Local\Temp\7zS9913.tmp\51e6037c3d701.tlb
| MD5 | c1e296ff01d3cf37f91c7473bdd9de52 |
| SHA1 | 832e3d1ddeb5a0ceb5b13c1ee271eb94bf9bf2a6 |
| SHA256 | a8e54ad3e1fbc91d5a7b02bf177a24a02f2558419ce46859bf15859b81478492 |
| SHA512 | aeb1f3962746caa3858c27b4753959d5ec9db2727e94642d5db2710633a96e7ceef5f9c0ff3b358f83143b6594459b5d9a94e095fed7a5d1fa97ae6a3c4e564c |
C:\ProgramData\BcOol\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:32
Reported
2024-10-27 21:36
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lojldnkagabkoobiokhbfbagodhhhhkk\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ = "BcOol" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\ProgID\ = "BcOol.1" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7}\InProcServer32\ = "C:\\ProgramData\\BcOol\\51e6037c3d701.dll" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\BcOol" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9C57CB30-28B4-B690-7D3D-EFA26EAF90E7} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\760a1b8be26c178358e9df3afd91d3b8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe
.\51e6037c3d6c8.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d6c8.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\settings.ini
| MD5 | d2a095c24799f81a1a52853f57862d67 |
| SHA1 | c64d922ae86f3c9b83f92e5a25d09746cb3525c0 |
| SHA256 | a221e5d1dec3571db475d8d61e854611ce2e6767f89973e5db75b9e08224ad54 |
| SHA512 | a9f7c416e8a987dd5a1438201974d996d38a36374f500b4362b9000c41a5c3393f37bb9757058426bb57639d3937e0e66940be90413c1faf7a74b3a29a514d6b |
\Users\Admin\AppData\Local\Temp\nsd9454.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\chrome.manifest
| MD5 | 25e2909418df5810772addf4998f6ac7 |
| SHA1 | ef007022028219ad4f0d3391869e734b0e825fd2 |
| SHA256 | ff8e5cf03db8492d44b0e7c1d3e5c2f9fce3a89e6cbb2f6925d8d5d90b9473a3 |
| SHA512 | e21a5ee407cc32eafcaf37de43d312aadc7c6399309ccd8b50eace80dae7ad8bf868412a4cb2f4507045c03f6fad662278da93e61e030942d6fb686059f93a21 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\bootstrap.js
| MD5 | 9659637d12e8a57a3ae724e03b58181b |
| SHA1 | e6b1f996994db7cdb72d8c034c40926ebd313d73 |
| SHA256 | 6eb906406e3f590c1d8d53bc808a78f23ac082c73658a64fa351134b583c9a9f |
| SHA512 | 64c7fc95a3dbbd49e7154699756553cbc1647ada41023d9537ce744d9cab4d7d2b9245abbdef25a87fe48b63b5f05ee4d410d010550706f83cfc483ace5d3873 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\install.rdf
| MD5 | ef5d6c1e96b8eac2b41222e86b450740 |
| SHA1 | 431019ec98e89fc90c02ec33bfce145015eaafaa |
| SHA256 | e6827faf1c1414bbd9b8a950ba44f7f239ded1330d6165a27b0267e08b77a846 |
| SHA512 | 1219f7fca1dbd77366ced3b93b705c6cb85ddf5bb623f4d235e0bcefb0bf055f8044e8c8c5d97add680db26c57003cb21baa407517009c006aef1894228bd558 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\[email protected]\content\bg.js
| MD5 | dbaf32b2cc54a5e2e1786517ec4754a4 |
| SHA1 | 1c2123bec7f0a7de856213bd35a4994ff87a0627 |
| SHA256 | ec04401751e68e8ed61639f46e27f68ba7b61e4760c96d76df70f1b29b11c585 |
| SHA512 | 51cd6924bf2e2b9a4f52af83297600898fa12b6d534d2bf205189d96b91b8031f47c2f8c3eda2362a94a164c55d5b37358f65140c7fa73343c4773bb7077ea36 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\background.html
| MD5 | fdba4a97c94358b00d92606b20dd48ea |
| SHA1 | 58a1876aa272f4abca0b3875e1889434b0521921 |
| SHA256 | 005c118c7ba3108d7221415eb49a465f70d15fe9adfdabc266f6ade7212bb0ad |
| SHA512 | 1b441b8571187573d3f1df4d2867f21e0eb649b8c6a307d841cceea1e401a64a5837d069d390c8ed89a783561e3ec01a2b9d255ca66592954d9a7e3b80410cd8 |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\51e6037c3d4cc0.06557051.js
| MD5 | e65cdf1bc9035582d3059de76db83313 |
| SHA1 | 033b13ebd4c96fa337ec0a989ef9fa616900f39c |
| SHA256 | 795f4fe0b28983c263a52135557fa3d70742951d8bb952876a922de85c7c80b8 |
| SHA512 | 43e64fe2b0bbd5d1b0e75167e3792817bb2496ef10c637f4c10e13a81764e0c58b87654b7e6f975fcf4417cc13ba2535291ea2d7391d55e8b96c11da09a76eab |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\manifest.json
| MD5 | 231bfa9bd211b3d6dce9b162a0f2f4b4 |
| SHA1 | ef7866211077b32b904ef9bfbcbb122c8a463a10 |
| SHA256 | 56415ef0c0802d8ad0571387b646bcb9d65380b6e1246223149a14e79d1b245a |
| SHA512 | 565243c5742df2d342e22647e505044fe220d35d4442bea81ee864714ad60db6ef30158c8b6b5a0f0662d8b1e9591f8dcdeeb1eb4315757d60bce05bcee09f2b |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\lojldnkagabkoobiokhbfbagodhhhhkk\sqlite.js
| MD5 | 097adf9f27d83cb08b02f05928a7573b |
| SHA1 | 304684455768e55e76dff39a5c6709bc634beb8c |
| SHA256 | 4f6da95e422e07e5a3823a7a0c3361d0839de0768f71150d2c461f7eb0202ddd |
| SHA512 | 22ab4494b1754613825dfc305cc0116d9353b53ddac6fd1b74ad55260fa2a9bb1744cf4cb388b64ff08cb2857d4b7ce6ade0c88cd841421afc7d5e19ac6ab3ac |
\Users\Admin\AppData\Local\Temp\nsd9454.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
memory/2704-75-0x0000000074F90000-0x0000000074F9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d701.dll
| MD5 | 05234975b085632d70d89c2f420c5107 |
| SHA1 | 078fb2a3e5de54c3737a4541242a4725c02c6b9c |
| SHA256 | a758ad4fdc8949ea005258075457a972eb0672d69d98d688117b85221fca096a |
| SHA512 | f9fa6aee142e32875127feadebbe235f4f376b0c3b7415036b8afc81c0a09a8ba0c5ec9e1703f1a34b220b7646caa1ca02629918185c4afbafe6926014044c4e |
C:\Users\Admin\AppData\Local\Temp\7zS9389.tmp\51e6037c3d701.tlb
| MD5 | c1e296ff01d3cf37f91c7473bdd9de52 |
| SHA1 | 832e3d1ddeb5a0ceb5b13c1ee271eb94bf9bf2a6 |
| SHA256 | a8e54ad3e1fbc91d5a7b02bf177a24a02f2558419ce46859bf15859b81478492 |
| SHA512 | aeb1f3962746caa3858c27b4753959d5ec9db2727e94642d5db2710633a96e7ceef5f9c0ff3b358f83143b6594459b5d9a94e095fed7a5d1fa97ae6a3c4e564c |
C:\ProgramData\BcOol\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |