Analysis Overview
SHA256
41ccc626af243568051e627af617517468c45c71c21b5f423449703e60b8619c
Threat Level: Shows suspicious behavior
The file JaffaCakes118_40db340467a18d6d18be879487871a61 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 15:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 15:11
Reported
2025-01-27 15:13
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe"
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS582E.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\settings.ini
| MD5 | 0789d272b31dd6d1c0f5513eafb3d927 |
| SHA1 | cef1d81f087b67f7f8c4606cfe23363434432aa4 |
| SHA256 | 18390d4b46fc5940bc88306454b2e3e1910375e8a5d93b77fb6862a083c899a2 |
| SHA512 | f1b3c66aec68116df0b985c0a776e40655f6ef3f053f4f03160ae29195f9fe14480f836e16d654306a07260b642c3725045332baa6644e2be48728fb8df26d15 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\install.rdf
| MD5 | 7a682996274bcd9769bb9d56906bfb00 |
| SHA1 | 519d1a03d39b5833d5b756d7bb54049eb62c11fd |
| SHA256 | 12020cebc53574fbf3ca86c9c73863a3e6987d72675c050a1ca7a0aebc012b69 |
| SHA512 | e608f2d3e36c50fb66fca206cc2f81cabe99e82c48bc7e936945c8242fc833222e96ed0afeaf2294766d8a34d96850d53ab015329a37dff8e1ee014b9f86438f |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\chrome.manifest
| MD5 | b8857a39a20d1101ad835a9b0b433288 |
| SHA1 | 57c27bd1a162935b2dede9a9d7e3c9d0efc549aa |
| SHA256 | e6e146479140325d7ba1e10d40b56cad9e72e032479200f1c47ff4b2521db535 |
| SHA512 | 15fb2a589e0fa1248b78584bd2914a7cf2b74d5edf097be5f58dd1c1960f985abfb85fe1e5e16241e212d2500f28674e1a860fa6e3b619d37609ff6fc7c2d210 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\indexeddb.js
| MD5 | 804dc8c72de966a1d03cd9a22777e800 |
| SHA1 | 29857f02399f712208d0ff828948ec9b6d05dba8 |
| SHA256 | ad9c2121af94aab9480a1615eb90464d884d436526b9cc8e3411a6058c7224c3 |
| SHA512 | 91f8d9d77fa0d8be243e5ce3204ec1250648f0218089b09c85e989ddb7391404482a6d50635cbd57365d9b7e86ce1bf8ff23cd06a449cb63f11cb3479d2d5b56 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\jsext.js
| MD5 | 06d78b642df48da6c611761d8b616136 |
| SHA1 | 48ba92c2974779909047b2f1887b5d66e9c9325d |
| SHA256 | 5c17c18c96981130c96c24a87114b90676efea7635cbd2cfc6a07a33097445dd |
| SHA512 | b6ed05b8686699cd1f5e38a76c86638e562e064fd36c3905ba757b08c4a46bde30fc23c5e20201a95d7af00ce9985d23c61652542f08c8ccee1751f0fcae072d |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\lsdb.js
| MD5 | e39261215fb1c10ffb236e73a3d030d0 |
| SHA1 | 9dd7bce9fbebdbfc9788020d51da5f637520a3e7 |
| SHA256 | 6ee2c0672e12f09046d5975d2f372e2a4d7c35152c75928eccd81edf77442e9e |
| SHA512 | 20a8d4b60aa7321fc7ad95faab0e85ddd860dfacde4586e0c273930d975f5355cc3e916ee7e3e12271f5272212b51c2f15421011d1bf54fc1e8ed428e8c1cba6 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\sqlite.js
| MD5 | ead3485db2ed817389304084e463eaea |
| SHA1 | 53051a6e0cb6ac4f9b21392f3757145c6214be88 |
| SHA256 | 2bd2dae86eca63b36f85a6120e6730036c64d5f4b2a74e52332644d7f0c45965 |
| SHA512 | f6f8a5052552525602ab325d3ce03686a04ab9a2e03cc04337afccb1e1528c4dd66fba91fc2d12389b84d39184408727d73c5b65a51f33c1127278d1f7ee7cad |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\prfdb.js
| MD5 | a39f1a82ed0db74dee0c7bc4b7f80e15 |
| SHA1 | 4ed5a458e3bc43a8b82a05e5ac5566d81920e614 |
| SHA256 | 160ae8edb3aabbe96a2a2067f9242b5cb7655867ec056798881368959890eab3 |
| SHA512 | cbdbf7beb778ac4593240dfb7dc821a2d12876a61c8a6e67290f157171433fb29c95056dbac5c110334fbc7bcf73763e84ed37fc349fcfd97457b610228cb278 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\[email protected]\content\wx.xul
| MD5 | c36104441feb5a0b2ab443c953ddacc3 |
| SHA1 | ccd306c9171c7bb7354993281d4303eb7d1dace7 |
| SHA256 | 99fa570d5008f4f9ab020e4b80bbfd2ff1f079e475e83269b44a49b0779f3f34 |
| SHA512 | 72c73d1076605784fe33ce5950857f068352357f4697a083f7de9a5fdfeca4cb383af891a504e12e841cd88961ea0c0cb03d865c3d7ac4a897b38440c3ee3e8c |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\fildoiepmckiekpdaimnanlhlbhjiekk.crx
| MD5 | 59fa7e0e774c04a31c16d1d55fb9987e |
| SHA1 | d22af56e09b8ffcccd85e4c619ee32d7d10f18e5 |
| SHA256 | ad5f6c4acd15a9dd2306aba75c422e7b4370f00ac3e815c8ded697b2cb8dfa9c |
| SHA512 | 88ad9549f7472521a61c4c72921b45da5703202e0f4abecc846eb8539501aa07930c28a87da52495171969ead88c1a8e49296c77572eda99c8075d028ce22f63 |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\background.html
| MD5 | 74fbcc665f4b5056e177c411994b26fa |
| SHA1 | 78f7a4b5c72eb4fa52dbaf374ee4e516c56bd1b8 |
| SHA256 | 38f7eed1804c5a9fcd826f76ec9786ff4bf477eacb9ee93785648220ec9a3fb9 |
| SHA512 | a2534e1f48f95835624d357f43daca9fb2abcd09bde2f69d88fec5f2c27f1428a40ec2f467636356d3e40e14a57b6e740a324025a06e7ff7a28db8c527ea3d5e |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\content.js
| MD5 | 6698c2cb7bdd929ec1019627aa11e36e |
| SHA1 | 9e3435584b882492c7c65c80236eba0014fbc48c |
| SHA256 | 00d07bcf6d43c4c2d134e014321c6f65fa8eb6141a9dfe7e31fe2a5807fdeaa8 |
| SHA512 | 9e067e8e5dff395e901ed5c55988eef16e0ea3739fd238d218ab6f69a75bc3d0c53e2d1dce46508524a63cdb2d403a1f882f5978996bcbd4f4a41adc4e0aa1be |
C:\Users\Admin\AppData\Local\Temp\7zS582E.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 15:11
Reported
2025-01-28 08:18
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe |
| PID 2716 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe |
| PID 2716 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6BCF2DD1-D7A0-E1FA-CF66-9A8F7BCC7586} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40db340467a18d6d18be879487871a61.exe"
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.111.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\settings.ini
| MD5 | 0789d272b31dd6d1c0f5513eafb3d927 |
| SHA1 | cef1d81f087b67f7f8c4606cfe23363434432aa4 |
| SHA256 | 18390d4b46fc5940bc88306454b2e3e1910375e8a5d93b77fb6862a083c899a2 |
| SHA512 | f1b3c66aec68116df0b985c0a776e40655f6ef3f053f4f03160ae29195f9fe14480f836e16d654306a07260b642c3725045332baa6644e2be48728fb8df26d15 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\chrome.manifest
| MD5 | b8857a39a20d1101ad835a9b0b433288 |
| SHA1 | 57c27bd1a162935b2dede9a9d7e3c9d0efc549aa |
| SHA256 | e6e146479140325d7ba1e10d40b56cad9e72e032479200f1c47ff4b2521db535 |
| SHA512 | 15fb2a589e0fa1248b78584bd2914a7cf2b74d5edf097be5f58dd1c1960f985abfb85fe1e5e16241e212d2500f28674e1a860fa6e3b619d37609ff6fc7c2d210 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\install.rdf
| MD5 | 7a682996274bcd9769bb9d56906bfb00 |
| SHA1 | 519d1a03d39b5833d5b756d7bb54049eb62c11fd |
| SHA256 | 12020cebc53574fbf3ca86c9c73863a3e6987d72675c050a1ca7a0aebc012b69 |
| SHA512 | e608f2d3e36c50fb66fca206cc2f81cabe99e82c48bc7e936945c8242fc833222e96ed0afeaf2294766d8a34d96850d53ab015329a37dff8e1ee014b9f86438f |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\indexeddb.js
| MD5 | 804dc8c72de966a1d03cd9a22777e800 |
| SHA1 | 29857f02399f712208d0ff828948ec9b6d05dba8 |
| SHA256 | ad9c2121af94aab9480a1615eb90464d884d436526b9cc8e3411a6058c7224c3 |
| SHA512 | 91f8d9d77fa0d8be243e5ce3204ec1250648f0218089b09c85e989ddb7391404482a6d50635cbd57365d9b7e86ce1bf8ff23cd06a449cb63f11cb3479d2d5b56 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\jsext.js
| MD5 | 06d78b642df48da6c611761d8b616136 |
| SHA1 | 48ba92c2974779909047b2f1887b5d66e9c9325d |
| SHA256 | 5c17c18c96981130c96c24a87114b90676efea7635cbd2cfc6a07a33097445dd |
| SHA512 | b6ed05b8686699cd1f5e38a76c86638e562e064fd36c3905ba757b08c4a46bde30fc23c5e20201a95d7af00ce9985d23c61652542f08c8ccee1751f0fcae072d |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\sqlite.js
| MD5 | ead3485db2ed817389304084e463eaea |
| SHA1 | 53051a6e0cb6ac4f9b21392f3757145c6214be88 |
| SHA256 | 2bd2dae86eca63b36f85a6120e6730036c64d5f4b2a74e52332644d7f0c45965 |
| SHA512 | f6f8a5052552525602ab325d3ce03686a04ab9a2e03cc04337afccb1e1528c4dd66fba91fc2d12389b84d39184408727d73c5b65a51f33c1127278d1f7ee7cad |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\prfdb.js
| MD5 | a39f1a82ed0db74dee0c7bc4b7f80e15 |
| SHA1 | 4ed5a458e3bc43a8b82a05e5ac5566d81920e614 |
| SHA256 | 160ae8edb3aabbe96a2a2067f9242b5cb7655867ec056798881368959890eab3 |
| SHA512 | cbdbf7beb778ac4593240dfb7dc821a2d12876a61c8a6e67290f157171433fb29c95056dbac5c110334fbc7bcf73763e84ed37fc349fcfd97457b610228cb278 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\lsdb.js
| MD5 | e39261215fb1c10ffb236e73a3d030d0 |
| SHA1 | 9dd7bce9fbebdbfc9788020d51da5f637520a3e7 |
| SHA256 | 6ee2c0672e12f09046d5975d2f372e2a4d7c35152c75928eccd81edf77442e9e |
| SHA512 | 20a8d4b60aa7321fc7ad95faab0e85ddd860dfacde4586e0c273930d975f5355cc3e916ee7e3e12271f5272212b51c2f15421011d1bf54fc1e8ed428e8c1cba6 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\[email protected]\content\wx.xul
| MD5 | c36104441feb5a0b2ab443c953ddacc3 |
| SHA1 | ccd306c9171c7bb7354993281d4303eb7d1dace7 |
| SHA256 | 99fa570d5008f4f9ab020e4b80bbfd2ff1f079e475e83269b44a49b0779f3f34 |
| SHA512 | 72c73d1076605784fe33ce5950857f068352357f4697a083f7de9a5fdfeca4cb383af891a504e12e841cd88961ea0c0cb03d865c3d7ac4a897b38440c3ee3e8c |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\fildoiepmckiekpdaimnanlhlbhjiekk.crx
| MD5 | 59fa7e0e774c04a31c16d1d55fb9987e |
| SHA1 | d22af56e09b8ffcccd85e4c619ee32d7d10f18e5 |
| SHA256 | ad5f6c4acd15a9dd2306aba75c422e7b4370f00ac3e815c8ded697b2cb8dfa9c |
| SHA512 | 88ad9549f7472521a61c4c72921b45da5703202e0f4abecc846eb8539501aa07930c28a87da52495171969ead88c1a8e49296c77572eda99c8075d028ce22f63 |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\background.html
| MD5 | 74fbcc665f4b5056e177c411994b26fa |
| SHA1 | 78f7a4b5c72eb4fa52dbaf374ee4e516c56bd1b8 |
| SHA256 | 38f7eed1804c5a9fcd826f76ec9786ff4bf477eacb9ee93785648220ec9a3fb9 |
| SHA512 | a2534e1f48f95835624d357f43daca9fb2abcd09bde2f69d88fec5f2c27f1428a40ec2f467636356d3e40e14a57b6e740a324025a06e7ff7a28db8c527ea3d5e |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\content.js
| MD5 | 6698c2cb7bdd929ec1019627aa11e36e |
| SHA1 | 9e3435584b882492c7c65c80236eba0014fbc48c |
| SHA256 | 00d07bcf6d43c4c2d134e014321c6f65fa8eb6141a9dfe7e31fe2a5807fdeaa8 |
| SHA512 | 9e067e8e5dff395e901ed5c55988eef16e0ea3739fd238d218ab6f69a75bc3d0c53e2d1dce46508524a63cdb2d403a1f882f5978996bcbd4f4a41adc4e0aa1be |
C:\Users\Admin\AppData\Local\Temp\7zSA558.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |