Malware Analysis Report

2025-08-05 14:54

Sample ID 250704-wbky3awzd1
Target JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f
SHA256 4f99ed9890f48b7665470007e5a3d43b9624e190e3e9a2af1a65e8de5b4465b1
Tags
adware defense_evasion discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4f99ed9890f48b7665470007e5a3d43b9624e190e3e9a2af1a65e8de5b4465b1

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware defense_evasion discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Installs/modifies Browser Helper Object

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

System policy modification

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:44

Reported

2025-07-04 17:47

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\5.10\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID\ = "savensharee.5.10" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ = "C:\\ProgramData\\savenshaare\\5KCB.dll" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savenshaare\\5KCB.tlb" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savenshaare" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer\ = "savensharee.5.10" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID\ = "savensharee" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} = "1" C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe

.\xcIre.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.exe

MD5 8300c91b40229b42301aebc6d8859907
SHA1 0b55e56a6add6b4dd4ceff475a0018a203d02a5a
SHA256 f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5
SHA512 0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\xcIre.dat

MD5 811dd34c6ef1aaa1b27651d92fb40c4f
SHA1 05e4983fdff22406fea6b8616fc0e3eb28a1512a
SHA256 5655d1c3fea97b461c165f662f2150f84e24161af0bca6d1babdeb0cca30d346
SHA512 f81d448bc5e45c3428efb899e26d77f7a611de026991b9a64b4287e04bf7bd39eaf933d1124343e67ff584a7edfd9e96fffd5ced0ef881c037d7f797e1267cc9

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\background.html

MD5 d98b59bdbbb6109eab0af889a803435a
SHA1 4602e546ccc638653a3cc6dce5b0b1bb5d288c50
SHA256 4e3ffc9a2f4f67d6fbfd6cc7a2223733081f1ec7a53229f9fcbeacb7562d09e5
SHA512 2edfbd494329815ab3d6425511a1b23ee3b89ecddfaeeeba08aaa9571c349b98df2dbc1fa52e8235bbcfeb90e692d4ed89fd478ca00b0b778c731e0a49956026

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\NeRad.js

MD5 7aa2a7924a17f964afd52a0846b3aa9b
SHA1 885e818bc0b11dcd930098d3fdf17ee73bed13a7
SHA256 25cc5fd035cdb0df758c59fdef0ea94c5629db5a4def77dbd8875f06eb3b3212
SHA512 380f2eb1acb92e855516ff738bef849bff30c06b24c941c28df581397e803e5f285eda6c1becf4e5324e0f5e2a1348e167c87615d8e8f31c8ddd1f02ffa9b42f

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\manifest.json

MD5 26f3f237cbb80b696c82cd97c503f9fd
SHA1 79450fadf2e91140b89be29db8a8c75b6bcb2af6
SHA256 48206709e3b907f138f7eb3839057bcbd294fa7f970d6237b4afd1e5494e52ee
SHA512 f6854ad5dc9badc44f7fceecf52bbf0d4ab7c715edfa1a2fbab6450fd0f7131adfe19debe57fd2a1bcefa2818a86a7ed5b42d8838fa404a5b40a527de51013be

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\sqlite.js

MD5 24e97e8cc0176c27b83528b1928b197e
SHA1 b4e361f8b041c514e6ca88b5e149c2780b0e2f28
SHA256 1eff085139bb1abf1187cc24bfb218c430d421472466f670b006ae7cd5726af8
SHA512 cd2ec20ce1b6d6ac33f9818941e85f3d79b4d092f8863f58cd73f0fe2e223c88c305b4e96f86770b00c40cfe1cf6a8a75716bbfa6d7874082737decb65ac9cb6

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\bootstrap.js

MD5 1b53c596cfb1aa2209446ff64c17dabd
SHA1 2542da14728dcdbe1763f1ee39fe9ceae38ad414
SHA256 a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f
SHA512 be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\chrome.manifest

MD5 78e8d7bdc6dc9be591c4e23fd0a8d9bb
SHA1 c649856d936dcd3c3cbd34d81b4f373fcd17e655
SHA256 a3a1d38d5417420561d2b1c954e32eb34cbbb9177720efe06a58af1ef573f5e7
SHA512 a97aaec43c761b141e613bbe0caa88021a5450544f59209545e6b624b0b5825d6becd3067eaf746b80553499863cce47cc24fd8b758be468d1575859a018b392

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\install.rdf

MD5 10965b74b4887ef4fba1547cf43749b9
SHA1 0f11cd9b94646b53d5ebb6927ae950a3b3da3fb7
SHA256 cd531e86d0e910c653771fb7106a63b0ebccd69de22ad2a293b00198daae4f6f
SHA512 ad8106086ef03954c739f2012f12bd07cfef556c63acb2ebe2ae1e3b9287234d9270613538140b15e44270c4b08936986c9f1f3ef9174359917727c7c25a3ce2

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\[email protected]\content\bg.js

MD5 a81739ef8ab7f4df5f244a96f067b297
SHA1 3900aa599bbe3fe6c9148fe701393aba259dc6f9
SHA256 86a26363c40f498e292d07f8fc9c561f493d84dba1c93e1ef645913e885fb11f
SHA512 f398ff61ef28b85dadb1c3cae62e3b52746701c73a0c3bf85ff1df9deca3c021596f312d43ac1d680991a5e171202caa76216a8d6fd476ea42ca65b8c065132a

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\5KCB.dll

MD5 e9b27306a18f18b88945cdf066de2fc9
SHA1 4d18490fbb336e261301a967047065dd561cc2f2
SHA256 a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c
SHA512 f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\5KCB.tlb

MD5 39d776f73d1d3f771aaa8c3561367c3a
SHA1 eef842aa02927bd7fbe7d569c5446ef1a2ea065f
SHA256 c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941
SHA512 3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

C:\Users\Admin\AppData\Local\Temp\7zSF184.tmp\1002107223707559128.log

MD5 f29442563a06eee58c2f2a8f69786d99
SHA1 f914fd0246924293eedbc57230ff6df5e4576ace
SHA256 63b86eebac2b19b0a3b342a7a20c335217f585474fdb61514c4c6586efdb6fa2
SHA512 0a17972d9272ee0c83776b25f3e313542d3d07c665e75de44a86d4dac731167ee631c5f3573ab00e923944a67e483af078951dfba9e22d3e3cb71da042019706

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 17:44

Reported

2025-07-04 17:47

Platform

win11-20250619-en

Max time kernel

103s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\5.10\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer\ = "savensharee.5.10" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID\ = "savensharee" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savenshaare" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CurVer C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ProgID\ = "savensharee.5.10" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savenshaare\\5KCB.tlb" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\InprocServer32\ = "C:\\ProgramData\\savenshaare\\5KCB.dll" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID\ = "{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\ = "savenshaare" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee.5.10\CLSID C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\savensharee.savensharee\CLSID C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6097A6DA-37B3-D0D5-5F8D-97356331ABAB} = "1" C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe

.\xcIre.exe

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe

MD5 8300c91b40229b42301aebc6d8859907
SHA1 0b55e56a6add6b4dd4ceff475a0018a203d02a5a
SHA256 f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5
SHA512 0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.dat

MD5 811dd34c6ef1aaa1b27651d92fb40c4f
SHA1 05e4983fdff22406fea6b8616fc0e3eb28a1512a
SHA256 5655d1c3fea97b461c165f662f2150f84e24161af0bca6d1babdeb0cca30d346
SHA512 f81d448bc5e45c3428efb899e26d77f7a611de026991b9a64b4287e04bf7bd39eaf933d1124343e67ff584a7edfd9e96fffd5ced0ef881c037d7f797e1267cc9

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\NeRad.js

MD5 7aa2a7924a17f964afd52a0846b3aa9b
SHA1 885e818bc0b11dcd930098d3fdf17ee73bed13a7
SHA256 25cc5fd035cdb0df758c59fdef0ea94c5629db5a4def77dbd8875f06eb3b3212
SHA512 380f2eb1acb92e855516ff738bef849bff30c06b24c941c28df581397e803e5f285eda6c1becf4e5324e0f5e2a1348e167c87615d8e8f31c8ddd1f02ffa9b42f

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\background.html

MD5 d98b59bdbbb6109eab0af889a803435a
SHA1 4602e546ccc638653a3cc6dce5b0b1bb5d288c50
SHA256 4e3ffc9a2f4f67d6fbfd6cc7a2223733081f1ec7a53229f9fcbeacb7562d09e5
SHA512 2edfbd494329815ab3d6425511a1b23ee3b89ecddfaeeeba08aaa9571c349b98df2dbc1fa52e8235bbcfeb90e692d4ed89fd478ca00b0b778c731e0a49956026

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\manifest.json

MD5 26f3f237cbb80b696c82cd97c503f9fd
SHA1 79450fadf2e91140b89be29db8a8c75b6bcb2af6
SHA256 48206709e3b907f138f7eb3839057bcbd294fa7f970d6237b4afd1e5494e52ee
SHA512 f6854ad5dc9badc44f7fceecf52bbf0d4ab7c715edfa1a2fbab6450fd0f7131adfe19debe57fd2a1bcefa2818a86a7ed5b42d8838fa404a5b40a527de51013be

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\sqlite.js

MD5 24e97e8cc0176c27b83528b1928b197e
SHA1 b4e361f8b041c514e6ca88b5e149c2780b0e2f28
SHA256 1eff085139bb1abf1187cc24bfb218c430d421472466f670b006ae7cd5726af8
SHA512 cd2ec20ce1b6d6ac33f9818941e85f3d79b4d092f8863f58cd73f0fe2e223c88c305b4e96f86770b00c40cfe1cf6a8a75716bbfa6d7874082737decb65ac9cb6

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\bootstrap.js

MD5 1b53c596cfb1aa2209446ff64c17dabd
SHA1 2542da14728dcdbe1763f1ee39fe9ceae38ad414
SHA256 a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f
SHA512 be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\content\bg.js

MD5 a81739ef8ab7f4df5f244a96f067b297
SHA1 3900aa599bbe3fe6c9148fe701393aba259dc6f9
SHA256 86a26363c40f498e292d07f8fc9c561f493d84dba1c93e1ef645913e885fb11f
SHA512 f398ff61ef28b85dadb1c3cae62e3b52746701c73a0c3bf85ff1df9deca3c021596f312d43ac1d680991a5e171202caa76216a8d6fd476ea42ca65b8c065132a

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\chrome.manifest

MD5 78e8d7bdc6dc9be591c4e23fd0a8d9bb
SHA1 c649856d936dcd3c3cbd34d81b4f373fcd17e655
SHA256 a3a1d38d5417420561d2b1c954e32eb34cbbb9177720efe06a58af1ef573f5e7
SHA512 a97aaec43c761b141e613bbe0caa88021a5450544f59209545e6b624b0b5825d6becd3067eaf746b80553499863cce47cc24fd8b758be468d1575859a018b392

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\install.rdf

MD5 10965b74b4887ef4fba1547cf43749b9
SHA1 0f11cd9b94646b53d5ebb6927ae950a3b3da3fb7
SHA256 cd531e86d0e910c653771fb7106a63b0ebccd69de22ad2a293b00198daae4f6f
SHA512 ad8106086ef03954c739f2012f12bd07cfef556c63acb2ebe2ae1e3b9287234d9270613538140b15e44270c4b08936986c9f1f3ef9174359917727c7c25a3ce2

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\5KCB.dll

MD5 e9b27306a18f18b88945cdf066de2fc9
SHA1 4d18490fbb336e261301a967047065dd561cc2f2
SHA256 a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c
SHA512 f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\5KCB.tlb

MD5 39d776f73d1d3f771aaa8c3561367c3a
SHA1 eef842aa02927bd7fbe7d569c5446ef1a2ea065f
SHA256 c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941
SHA512 3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\1002107223707559128.log

MD5 3c54b3cd233e14fca44470ae8ffaf285
SHA1 95b6482d1716baee5f1194917897c3c3c1c5c894
SHA256 241a920df2ee8460343f78021e26c47a617362b15f6f53a93f8fb49873cdf378
SHA512 592899c8191b1f6043e411328b5a97aa4f69606c1f48b6ebea4c64510e56b9ea4da3418d0763e2ec59633de6796d43a0a5c64597487735ebf71fabdf03ed891d