Analysis Overview
SHA256
4f99ed9890f48b7665470007e5a3d43b9624e190e3e9a2af1a65e8de5b4465b1
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
Installs/modifies Browser Helper Object
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 17:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 17:44
Reported
2025-07-04 17:47
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\5.10\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID\ = "savensharee.5.10" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ = "C:\\ProgramData\\savenshaare\\5KCB.dll" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savenshaare\\5KCB.tlb" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer\ = "savensharee.5.10" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID\ = "savensharee" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5144 wrote to memory of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe |
| PID 5144 wrote to memory of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe |
| PID 5144 wrote to memory of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe
.\xcIre.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe
| MD5 | 8300c91b40229b42301aebc6d8859907 |
| SHA1 | 0b55e56a6add6b4dd4ceff475a0018a203d02a5a |
| SHA256 | f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5 |
| SHA512 | 0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.dat
| MD5 | 811dd34c6ef1aaa1b27651d92fb40c4f |
| SHA1 | 05e4983fdff22406fea6b8616fc0e3eb28a1512a |
| SHA256 | 5655d1c3fea97b461c165f662f2150f84e24161af0bca6d1babdeb0cca30d346 |
| SHA512 | f81d448bc5e45c3428efb899e26d77f7a611de026991b9a64b4287e04bf7bd39eaf933d1124343e67ff584a7edfd9e96fffd5ced0ef881c037d7f797e1267cc9 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\background.html
| MD5 | d98b59bdbbb6109eab0af889a803435a |
| SHA1 | 4602e546ccc638653a3cc6dce5b0b1bb5d288c50 |
| SHA256 | 4e3ffc9a2f4f67d6fbfd6cc7a2223733081f1ec7a53229f9fcbeacb7562d09e5 |
| SHA512 | 2edfbd494329815ab3d6425511a1b23ee3b89ecddfaeeeba08aaa9571c349b98df2dbc1fa52e8235bbcfeb90e692d4ed89fd478ca00b0b778c731e0a49956026 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\NeRad.js
| MD5 | 7aa2a7924a17f964afd52a0846b3aa9b |
| SHA1 | 885e818bc0b11dcd930098d3fdf17ee73bed13a7 |
| SHA256 | 25cc5fd035cdb0df758c59fdef0ea94c5629db5a4def77dbd8875f06eb3b3212 |
| SHA512 | 380f2eb1acb92e855516ff738bef849bff30c06b24c941c28df581397e803e5f285eda6c1becf4e5324e0f5e2a1348e167c87615d8e8f31c8ddd1f02ffa9b42f |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\manifest.json
| MD5 | 26f3f237cbb80b696c82cd97c503f9fd |
| SHA1 | 79450fadf2e91140b89be29db8a8c75b6bcb2af6 |
| SHA256 | 48206709e3b907f138f7eb3839057bcbd294fa7f970d6237b4afd1e5494e52ee |
| SHA512 | f6854ad5dc9badc44f7fceecf52bbf0d4ab7c715edfa1a2fbab6450fd0f7131adfe19debe57fd2a1bcefa2818a86a7ed5b42d8838fa404a5b40a527de51013be |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\sqlite.js
| MD5 | 24e97e8cc0176c27b83528b1928b197e |
| SHA1 | b4e361f8b041c514e6ca88b5e149c2780b0e2f28 |
| SHA256 | 1eff085139bb1abf1187cc24bfb218c430d421472466f670b006ae7cd5726af8 |
| SHA512 | cd2ec20ce1b6d6ac33f9818941e85f3d79b4d092f8863f58cd73f0fe2e223c88c305b4e96f86770b00c40cfe1cf6a8a75716bbfa6d7874082737decb65ac9cb6 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\bootstrap.js
| MD5 | 1b53c596cfb1aa2209446ff64c17dabd |
| SHA1 | 2542da14728dcdbe1763f1ee39fe9ceae38ad414 |
| SHA256 | a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f |
| SHA512 | be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\chrome.manifest
| MD5 | 78e8d7bdc6dc9be591c4e23fd0a8d9bb |
| SHA1 | c649856d936dcd3c3cbd34d81b4f373fcd17e655 |
| SHA256 | a3a1d38d5417420561d2b1c954e32eb34cbbb9177720efe06a58af1ef573f5e7 |
| SHA512 | a97aaec43c761b141e613bbe0caa88021a5450544f59209545e6b624b0b5825d6becd3067eaf746b80553499863cce47cc24fd8b758be468d1575859a018b392 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\install.rdf
| MD5 | 10965b74b4887ef4fba1547cf43749b9 |
| SHA1 | 0f11cd9b94646b53d5ebb6927ae950a3b3da3fb7 |
| SHA256 | cd531e86d0e910c653771fb7106a63b0ebccd69de22ad2a293b00198daae4f6f |
| SHA512 | ad8106086ef03954c739f2012f12bd07cfef556c63acb2ebe2ae1e3b9287234d9270613538140b15e44270c4b08936986c9f1f3ef9174359917727c7c25a3ce2 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\content\bg.js
| MD5 | a81739ef8ab7f4df5f244a96f067b297 |
| SHA1 | 3900aa599bbe3fe6c9148fe701393aba259dc6f9 |
| SHA256 | 86a26363c40f498e292d07f8fc9c561f493d84dba1c93e1ef645913e885fb11f |
| SHA512 | f398ff61ef28b85dadb1c3cae62e3b52746701c73a0c3bf85ff1df9deca3c021596f312d43ac1d680991a5e171202caa76216a8d6fd476ea42ca65b8c065132a |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\5KCB.dll
| MD5 | e9b27306a18f18b88945cdf066de2fc9 |
| SHA1 | 4d18490fbb336e261301a967047065dd561cc2f2 |
| SHA256 | a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c |
| SHA512 | f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\5KCB.tlb
| MD5 | 39d776f73d1d3f771aaa8c3561367c3a |
| SHA1 | eef842aa02927bd7fbe7d569c5446ef1a2ea065f |
| SHA256 | c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941 |
| SHA512 | 3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3 |
C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\1002107223707559128.log
| MD5 | f29442563a06eee58c2f2a8f69786d99 |
| SHA1 | f914fd0246924293eedbc57230ff6df5e4576ace |
| SHA256 | 63b86eebac2b19b0a3b342a7a20c335217f585474fdb61514c4c6586efdb6fa2 |
| SHA512 | 0a17972d9272ee0c83776b25f3e313542d3d07c665e75de44a86d4dac731167ee631c5f3573ab00e923944a67e483af078951dfba9e22d3e3cb71da042019706 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 17:44
Reported
2025-07-04 17:47
Platform
win11-20250619-en
Max time kernel
103s
Max time network
109s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\5.10\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer\ = "savensharee.5.10" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID\ = "savensharee" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID\ = "savensharee.5.10" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savenshaare\\5KCB.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ = "C:\\ProgramData\\savenshaare\\5KCB.dll" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\ = "savenshaare" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe |
| PID 2440 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe |
| PID 2440 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe
.\xcIre.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe
| MD5 | 8300c91b40229b42301aebc6d8859907 |
| SHA1 | 0b55e56a6add6b4dd4ceff475a0018a203d02a5a |
| SHA256 | f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5 |
| SHA512 | 0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.dat
| MD5 | 811dd34c6ef1aaa1b27651d92fb40c4f |
| SHA1 | 05e4983fdff22406fea6b8616fc0e3eb28a1512a |
| SHA256 | 5655d1c3fea97b461c165f662f2150f84e24161af0bca6d1babdeb0cca30d346 |
| SHA512 | f81d448bc5e45c3428efb899e26d77f7a611de026991b9a64b4287e04bf7bd39eaf933d1124343e67ff584a7edfd9e96fffd5ced0ef881c037d7f797e1267cc9 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\NeRad.js
| MD5 | 7aa2a7924a17f964afd52a0846b3aa9b |
| SHA1 | 885e818bc0b11dcd930098d3fdf17ee73bed13a7 |
| SHA256 | 25cc5fd035cdb0df758c59fdef0ea94c5629db5a4def77dbd8875f06eb3b3212 |
| SHA512 | 380f2eb1acb92e855516ff738bef849bff30c06b24c941c28df581397e803e5f285eda6c1becf4e5324e0f5e2a1348e167c87615d8e8f31c8ddd1f02ffa9b42f |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\background.html
| MD5 | d98b59bdbbb6109eab0af889a803435a |
| SHA1 | 4602e546ccc638653a3cc6dce5b0b1bb5d288c50 |
| SHA256 | 4e3ffc9a2f4f67d6fbfd6cc7a2223733081f1ec7a53229f9fcbeacb7562d09e5 |
| SHA512 | 2edfbd494329815ab3d6425511a1b23ee3b89ecddfaeeeba08aaa9571c349b98df2dbc1fa52e8235bbcfeb90e692d4ed89fd478ca00b0b778c731e0a49956026 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\manifest.json
| MD5 | 26f3f237cbb80b696c82cd97c503f9fd |
| SHA1 | 79450fadf2e91140b89be29db8a8c75b6bcb2af6 |
| SHA256 | 48206709e3b907f138f7eb3839057bcbd294fa7f970d6237b4afd1e5494e52ee |
| SHA512 | f6854ad5dc9badc44f7fceecf52bbf0d4ab7c715edfa1a2fbab6450fd0f7131adfe19debe57fd2a1bcefa2818a86a7ed5b42d8838fa404a5b40a527de51013be |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\sqlite.js
| MD5 | 24e97e8cc0176c27b83528b1928b197e |
| SHA1 | b4e361f8b041c514e6ca88b5e149c2780b0e2f28 |
| SHA256 | 1eff085139bb1abf1187cc24bfb218c430d421472466f670b006ae7cd5726af8 |
| SHA512 | cd2ec20ce1b6d6ac33f9818941e85f3d79b4d092f8863f58cd73f0fe2e223c88c305b4e96f86770b00c40cfe1cf6a8a75716bbfa6d7874082737decb65ac9cb6 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\bootstrap.js
| MD5 | 1b53c596cfb1aa2209446ff64c17dabd |
| SHA1 | 2542da14728dcdbe1763f1ee39fe9ceae38ad414 |
| SHA256 | a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f |
| SHA512 | be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\content\bg.js
| MD5 | a81739ef8ab7f4df5f244a96f067b297 |
| SHA1 | 3900aa599bbe3fe6c9148fe701393aba259dc6f9 |
| SHA256 | 86a26363c40f498e292d07f8fc9c561f493d84dba1c93e1ef645913e885fb11f |
| SHA512 | f398ff61ef28b85dadb1c3cae62e3b52746701c73a0c3bf85ff1df9deca3c021596f312d43ac1d680991a5e171202caa76216a8d6fd476ea42ca65b8c065132a |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\chrome.manifest
| MD5 | 78e8d7bdc6dc9be591c4e23fd0a8d9bb |
| SHA1 | c649856d936dcd3c3cbd34d81b4f373fcd17e655 |
| SHA256 | a3a1d38d5417420561d2b1c954e32eb34cbbb9177720efe06a58af1ef573f5e7 |
| SHA512 | a97aaec43c761b141e613bbe0caa88021a5450544f59209545e6b624b0b5825d6becd3067eaf746b80553499863cce47cc24fd8b758be468d1575859a018b392 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\install.rdf
| MD5 | 10965b74b4887ef4fba1547cf43749b9 |
| SHA1 | 0f11cd9b94646b53d5ebb6927ae950a3b3da3fb7 |
| SHA256 | cd531e86d0e910c653771fb7106a63b0ebccd69de22ad2a293b00198daae4f6f |
| SHA512 | ad8106086ef03954c739f2012f12bd07cfef556c63acb2ebe2ae1e3b9287234d9270613538140b15e44270c4b08936986c9f1f3ef9174359917727c7c25a3ce2 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\5KCB.dll
| MD5 | e9b27306a18f18b88945cdf066de2fc9 |
| SHA1 | 4d18490fbb336e261301a967047065dd561cc2f2 |
| SHA256 | a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c |
| SHA512 | f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\5KCB.tlb
| MD5 | 39d776f73d1d3f771aaa8c3561367c3a |
| SHA1 | eef842aa02927bd7fbe7d569c5446ef1a2ea065f |
| SHA256 | c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941 |
| SHA512 | 3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3 |
C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\1002107223707559128.log
| MD5 | 3c54b3cd233e14fca44470ae8ffaf285 |
| SHA1 | 95b6482d1716baee5f1194917897c3c3c1c5c894 |
| SHA256 | 241a920df2ee8460343f78021e26c47a617362b15f6f53a93f8fb49873cdf378 |
| SHA512 | 592899c8191b1f6043e411328b5a97aa4f69606c1f48b6ebea4c64510e56b9ea4da3418d0763e2ec59633de6796d43a0a5c64597487735ebf71fabdf03ed891d |