Malware Analysis Report

2025-08-05 16:53

Sample ID 250127-skmx8svncn
Target JaffaCakes118_40db340467a18d6d18be879487871a61
SHA256 41ccc626af243568051e627af617517468c45c71c21b5f423449703e60b8619c
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

41ccc626af243568051e627af617517468c45c71c21b5f423449703e60b8619c

Threat Level: Shows suspicious behavior

The file JaffaCakes118_40db340467a18d6d18be879487871a61 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 15:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:13

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast Class" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} = "1" C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe"

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\settings.ini

MD5 0789d272b31dd6d1c0f5513eafb3d927
SHA1 cef1d81f087b67f7f8c4606cfe23363434432aa4
SHA256 18390d4b46fc5940bc88306454b2e3e1910375e8a5d93b77fb6862a083c899a2
SHA512 f1b3c66aec68116df0b985c0a776e40655f6ef3f053f4f03160ae29195f9fe14480f836e16d654306a07260b642c3725045332baa6644e2be48728fb8df26d15

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\install.rdf

MD5 7a682996274bcd9769bb9d56906bfb00
SHA1 519d1a03d39b5833d5b756d7bb54049eb62c11fd
SHA256 12020cebc53574fbf3ca86c9c73863a3e6987d72675c050a1ca7a0aebc012b69
SHA512 e608f2d3e36c50fb66fca206cc2f81cabe99e82c48bc7e936945c8242fc833222e96ed0afeaf2294766d8a34d96850d53ab015329a37dff8e1ee014b9f86438f

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\chrome.manifest

MD5 b8857a39a20d1101ad835a9b0b433288
SHA1 57c27bd1a162935b2dede9a9d7e3c9d0efc549aa
SHA256 e6e146479140325d7ba1e10d40b56cad9e72e032479200f1c47ff4b2521db535
SHA512 15fb2a589e0fa1248b78584bd2914a7cf2b74d5edf097be5f58dd1c1960f985abfb85fe1e5e16241e212d2500f28674e1a860fa6e3b619d37609ff6fc7c2d210

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\indexeddb.js

MD5 804dc8c72de966a1d03cd9a22777e800
SHA1 29857f02399f712208d0ff828948ec9b6d05dba8
SHA256 ad9c2121af94aab9480a1615eb90464d884d436526b9cc8e3411a6058c7224c3
SHA512 91f8d9d77fa0d8be243e5ce3204ec1250648f0218089b09c85e989ddb7391404482a6d50635cbd57365d9b7e86ce1bf8ff23cd06a449cb63f11cb3479d2d5b56

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\jsext.js

MD5 06d78b642df48da6c611761d8b616136
SHA1 48ba92c2974779909047b2f1887b5d66e9c9325d
SHA256 5c17c18c96981130c96c24a87114b90676efea7635cbd2cfc6a07a33097445dd
SHA512 b6ed05b8686699cd1f5e38a76c86638e562e064fd36c3905ba757b08c4a46bde30fc23c5e20201a95d7af00ce9985d23c61652542f08c8ccee1751f0fcae072d

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\lsdb.js

MD5 e39261215fb1c10ffb236e73a3d030d0
SHA1 9dd7bce9fbebdbfc9788020d51da5f637520a3e7
SHA256 6ee2c0672e12f09046d5975d2f372e2a4d7c35152c75928eccd81edf77442e9e
SHA512 20a8d4b60aa7321fc7ad95faab0e85ddd860dfacde4586e0c273930d975f5355cc3e916ee7e3e12271f5272212b51c2f15421011d1bf54fc1e8ed428e8c1cba6

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\sqlite.js

MD5 ead3485db2ed817389304084e463eaea
SHA1 53051a6e0cb6ac4f9b21392f3757145c6214be88
SHA256 2bd2dae86eca63b36f85a6120e6730036c64d5f4b2a74e52332644d7f0c45965
SHA512 f6f8a5052552525602ab325d3ce03686a04ab9a2e03cc04337afccb1e1528c4dd66fba91fc2d12389b84d39184408727d73c5b65a51f33c1127278d1f7ee7cad

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\prfdb.js

MD5 a39f1a82ed0db74dee0c7bc4b7f80e15
SHA1 4ed5a458e3bc43a8b82a05e5ac5566d81920e614
SHA256 160ae8edb3aabbe96a2a2067f9242b5cb7655867ec056798881368959890eab3
SHA512 cbdbf7beb778ac4593240dfb7dc821a2d12876a61c8a6e67290f157171433fb29c95056dbac5c110334fbc7bcf73763e84ed37fc349fcfd97457b610228cb278

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\wx.xul

MD5 c36104441feb5a0b2ab443c953ddacc3
SHA1 ccd306c9171c7bb7354993281d4303eb7d1dace7
SHA256 99fa570d5008f4f9ab020e4b80bbfd2ff1f079e475e83269b44a49b0779f3f34
SHA512 72c73d1076605784fe33ce5950857f068352357f4697a083f7de9a5fdfeca4cb383af891a504e12e841cd88961ea0c0cb03d865c3d7ac4a897b38440c3ee3e8c

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\fildoiepmckiekpdaimnanlhlbhjiekk.crx

MD5 59fa7e0e774c04a31c16d1d55fb9987e
SHA1 d22af56e09b8ffcccd85e4c619ee32d7d10f18e5
SHA256 ad5f6c4acd15a9dd2306aba75c422e7b4370f00ac3e815c8ded697b2cb8dfa9c
SHA512 88ad9549f7472521a61c4c72921b45da5703202e0f4abecc846eb8539501aa07930c28a87da52495171969ead88c1a8e49296c77572eda99c8075d028ce22f63

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\background.html

MD5 74fbcc665f4b5056e177c411994b26fa
SHA1 78f7a4b5c72eb4fa52dbaf374ee4e516c56bd1b8
SHA256 38f7eed1804c5a9fcd826f76ec9786ff4bf477eacb9ee93785648220ec9a3fb9
SHA512 a2534e1f48f95835624d357f43daca9fb2abcd09bde2f69d88fec5f2c27f1428a40ec2f467636356d3e40e14a57b6e740a324025a06e7ff7a28db8c527ea3d5e

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\content.js

MD5 6698c2cb7bdd929ec1019627aa11e36e
SHA1 9e3435584b882492c7c65c80236eba0014fbc48c
SHA256 00d07bcf6d43c4c2d134e014321c6f65fa8eb6141a9dfe7e31fe2a5807fdeaa8
SHA512 9e067e8e5dff395e901ed5c55988eef16e0ea3739fd238d218ab6f69a75bc3d0c53e2d1dce46508524a63cdb2d403a1f882f5978996bcbd4f4a41adc4e0aa1be

C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\wxDfast\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-28 08:18

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast Class" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} = "1" C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe"

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 147.111.86.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\settings.ini

MD5 0789d272b31dd6d1c0f5513eafb3d927
SHA1 cef1d81f087b67f7f8c4606cfe23363434432aa4
SHA256 18390d4b46fc5940bc88306454b2e3e1910375e8a5d93b77fb6862a083c899a2
SHA512 f1b3c66aec68116df0b985c0a776e40655f6ef3f053f4f03160ae29195f9fe14480f836e16d654306a07260b642c3725045332baa6644e2be48728fb8df26d15

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\chrome.manifest

MD5 b8857a39a20d1101ad835a9b0b433288
SHA1 57c27bd1a162935b2dede9a9d7e3c9d0efc549aa
SHA256 e6e146479140325d7ba1e10d40b56cad9e72e032479200f1c47ff4b2521db535
SHA512 15fb2a589e0fa1248b78584bd2914a7cf2b74d5edf097be5f58dd1c1960f985abfb85fe1e5e16241e212d2500f28674e1a860fa6e3b619d37609ff6fc7c2d210

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\install.rdf

MD5 7a682996274bcd9769bb9d56906bfb00
SHA1 519d1a03d39b5833d5b756d7bb54049eb62c11fd
SHA256 12020cebc53574fbf3ca86c9c73863a3e6987d72675c050a1ca7a0aebc012b69
SHA512 e608f2d3e36c50fb66fca206cc2f81cabe99e82c48bc7e936945c8242fc833222e96ed0afeaf2294766d8a34d96850d53ab015329a37dff8e1ee014b9f86438f

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\indexeddb.js

MD5 804dc8c72de966a1d03cd9a22777e800
SHA1 29857f02399f712208d0ff828948ec9b6d05dba8
SHA256 ad9c2121af94aab9480a1615eb90464d884d436526b9cc8e3411a6058c7224c3
SHA512 91f8d9d77fa0d8be243e5ce3204ec1250648f0218089b09c85e989ddb7391404482a6d50635cbd57365d9b7e86ce1bf8ff23cd06a449cb63f11cb3479d2d5b56

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\jsext.js

MD5 06d78b642df48da6c611761d8b616136
SHA1 48ba92c2974779909047b2f1887b5d66e9c9325d
SHA256 5c17c18c96981130c96c24a87114b90676efea7635cbd2cfc6a07a33097445dd
SHA512 b6ed05b8686699cd1f5e38a76c86638e562e064fd36c3905ba757b08c4a46bde30fc23c5e20201a95d7af00ce9985d23c61652542f08c8ccee1751f0fcae072d

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\sqlite.js

MD5 ead3485db2ed817389304084e463eaea
SHA1 53051a6e0cb6ac4f9b21392f3757145c6214be88
SHA256 2bd2dae86eca63b36f85a6120e6730036c64d5f4b2a74e52332644d7f0c45965
SHA512 f6f8a5052552525602ab325d3ce03686a04ab9a2e03cc04337afccb1e1528c4dd66fba91fc2d12389b84d39184408727d73c5b65a51f33c1127278d1f7ee7cad

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\prfdb.js

MD5 a39f1a82ed0db74dee0c7bc4b7f80e15
SHA1 4ed5a458e3bc43a8b82a05e5ac5566d81920e614
SHA256 160ae8edb3aabbe96a2a2067f9242b5cb7655867ec056798881368959890eab3
SHA512 cbdbf7beb778ac4593240dfb7dc821a2d12876a61c8a6e67290f157171433fb29c95056dbac5c110334fbc7bcf73763e84ed37fc349fcfd97457b610228cb278

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\lsdb.js

MD5 e39261215fb1c10ffb236e73a3d030d0
SHA1 9dd7bce9fbebdbfc9788020d51da5f637520a3e7
SHA256 6ee2c0672e12f09046d5975d2f372e2a4d7c35152c75928eccd81edf77442e9e
SHA512 20a8d4b60aa7321fc7ad95faab0e85ddd860dfacde4586e0c273930d975f5355cc3e916ee7e3e12271f5272212b51c2f15421011d1bf54fc1e8ed428e8c1cba6

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\wx.xul

MD5 c36104441feb5a0b2ab443c953ddacc3
SHA1 ccd306c9171c7bb7354993281d4303eb7d1dace7
SHA256 99fa570d5008f4f9ab020e4b80bbfd2ff1f079e475e83269b44a49b0779f3f34
SHA512 72c73d1076605784fe33ce5950857f068352357f4697a083f7de9a5fdfeca4cb383af891a504e12e841cd88961ea0c0cb03d865c3d7ac4a897b38440c3ee3e8c

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\fildoiepmckiekpdaimnanlhlbhjiekk.crx

MD5 59fa7e0e774c04a31c16d1d55fb9987e
SHA1 d22af56e09b8ffcccd85e4c619ee32d7d10f18e5
SHA256 ad5f6c4acd15a9dd2306aba75c422e7b4370f00ac3e815c8ded697b2cb8dfa9c
SHA512 88ad9549f7472521a61c4c72921b45da5703202e0f4abecc846eb8539501aa07930c28a87da52495171969ead88c1a8e49296c77572eda99c8075d028ce22f63

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\background.html

MD5 74fbcc665f4b5056e177c411994b26fa
SHA1 78f7a4b5c72eb4fa52dbaf374ee4e516c56bd1b8
SHA256 38f7eed1804c5a9fcd826f76ec9786ff4bf477eacb9ee93785648220ec9a3fb9
SHA512 a2534e1f48f95835624d357f43daca9fb2abcd09bde2f69d88fec5f2c27f1428a40ec2f467636356d3e40e14a57b6e740a324025a06e7ff7a28db8c527ea3d5e

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\content.js

MD5 6698c2cb7bdd929ec1019627aa11e36e
SHA1 9e3435584b882492c7c65c80236eba0014fbc48c
SHA256 00d07bcf6d43c4c2d134e014321c6f65fa8eb6141a9dfe7e31fe2a5807fdeaa8
SHA512 9e067e8e5dff395e901ed5c55988eef16e0ea3739fd238d218ab6f69a75bc3d0c53e2d1dce46508524a63cdb2d403a1f882f5978996bcbd4f4a41adc4e0aa1be

C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\wxDfast\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b