Malware Analysis Report

2025-01-06 11:34

Sample ID 240603-e1kwxsce66
Target 9085257f73856569fae373230fbc6d9e_JaffaCakes118
SHA256 f0c05bffc0e423d5a620c9cdf4321d2982651320bb960c28bebb3c64e35000b9
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0c05bffc0e423d5a620c9cdf4321d2982651320bb960c28bebb3c64e35000b9

Threat Level: Known bad

The file 9085257f73856569fae373230fbc6d9e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:24

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:24

Reported

2024-06-03 04:27

Platform

win7-20240508-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\mmkajvoast.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\mmkajvoast.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\whzmhfwu = "hdjvpbyhvyysuwr.exe" C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hdukamjmbbzvm.exe" C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xugjrokv = "mmkajvoast.exe" C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lzaymzmp.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\mmkajvoast.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lzaymzmp.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\mmkajvoast.exe N/A
File opened for modification C:\Windows\SysWOW64\hdukamjmbbzvm.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mmkajvoast.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mmkajvoast.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lzaymzmp.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hdukamjmbbzvm.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\lzaymzmp.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\lzaymzmp.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\lzaymzmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02047EF38EB53BAB9A73298D4BF" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B0FE1A21A9D172D0A18A0B9017" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\mmkajvoast.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\mmkajvoast.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\mmkajvoast.exe N/A
N/A N/A C:\Windows\SysWOW64\mmkajvoast.exe N/A
N/A N/A C:\Windows\SysWOW64\mmkajvoast.exe N/A
N/A N/A C:\Windows\SysWOW64\mmkajvoast.exe N/A
N/A N/A C:\Windows\SysWOW64\mmkajvoast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\lzaymzmp.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdukamjmbbzvm.exe N/A
N/A N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\mmkajvoast.exe
PID 1776 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\mmkajvoast.exe
PID 1776 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\mmkajvoast.exe
PID 1776 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\mmkajvoast.exe
PID 1776 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe
PID 1776 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe
PID 1776 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe
PID 1776 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe
PID 1776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 1776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 1776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 1776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 1776 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdukamjmbbzvm.exe
PID 1776 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdukamjmbbzvm.exe
PID 1776 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdukamjmbbzvm.exe
PID 1776 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\hdukamjmbbzvm.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mmkajvoast.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 2592 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mmkajvoast.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 2592 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mmkajvoast.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 2592 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mmkajvoast.exe C:\Windows\SysWOW64\lzaymzmp.exe
PID 1776 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1776 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1776 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1776 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2496 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\mmkajvoast.exe

mmkajvoast.exe

C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe

hdjvpbyhvyysuwr.exe

C:\Windows\SysWOW64\lzaymzmp.exe

lzaymzmp.exe

C:\Windows\SysWOW64\hdukamjmbbzvm.exe

hdukamjmbbzvm.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c hdukamjmbbzvm.exe

C:\Windows\SysWOW64\lzaymzmp.exe

C:\Windows\system32\lzaymzmp.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1776-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\hdjvpbyhvyysuwr.exe

MD5 b789bfc7ce3e905dc058b77dea080e48
SHA1 999264cb00b2d13277b69960e8f603126cb2876a
SHA256 a98eb48e8e3c38821028e1ab905b284cf4fc6ee5f0c7babc37434b300bf7d6de
SHA512 80a1d475d097b599b4ad7827405a7a1fbb18a99ec895ebc8d1df8a2e53cf4abb95203f58ee936f11c2c38ec80c82324ee520f0e72d61273628ec30ff16dea05c

\Windows\SysWOW64\mmkajvoast.exe

MD5 b5569ab588b7acef48f21ed070f916a4
SHA1 40a9681e97d2955c1c7584e0ae30f68a0b726fcf
SHA256 24735e33c08adaeeb9ae4683aa60b90649c568e91ac1e73d899a8113f3674122
SHA512 2f4c925b284b750907cbb0f48ebb0d4981917bfe367f2d03c9ae874c6ec6f11cead3ddc5c4a1cd02dab2aee0a88247c0c3a4766e4f4bb08290eb860d299fbfc7

\Windows\SysWOW64\lzaymzmp.exe

MD5 2bb542effe2acfe69391e6562c178905
SHA1 01feda7c5238993f9a3afd6962b900be4115941b
SHA256 521842ea46af50496ef255020b0d9031d756989fcac97ff61bc56f31ede8c237
SHA512 e8de5580383c6a03293b7ae6f2971c0f72d113cfa931aa962fd2a4ff0a9ebc8571b837b51079d5dd2aa2896afba72e1d60cc107eda8ff6f873f0a120a1786dbf

C:\Windows\SysWOW64\hdukamjmbbzvm.exe

MD5 c0b610bb137baf6ad1abfa48b3db8bcc
SHA1 51b7b8ce227e10d18dc64e347768ccd918891767
SHA256 53a0419049fb334d084f1dab90c55754033812ba94d243be0cb5a031ebdadd6d
SHA512 fc560b41e3eb219524c9088015a9d62478444e1431781c661bb5b0cdf53212bd09a7b0a2976a4c7888164e4d974ac33e69f05fd18184ea482065c77a1e185176

memory/2496-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a8124b6a2838ce74400fc24ea6664654
SHA1 f082f43b0a7b529c4c33c96a3e3b76b5aedc922b
SHA256 bbfc58a6de9de17b06417f4ee762f2198fb8be78297e74d9ff4971a04b3e09b6
SHA512 aa9a3951f4106bf570909953b20612184850fb56a12421289620dd27174d3b5b3e9f9a9d22f5e3c238d6f3e1d255f9cb8f01fea6b29518b9ca90a19890e1c8c0

\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 d2a1e370f83b17b46d431399815150c3
SHA1 37fb31b9e50f07cc506341a18fd966edc34287fc
SHA256 5992289bd2029e7c6ec4c3060b3220d76150380aa0d63ab1cb978d74d7a64cc0
SHA512 0245cd93c1c8c7736605c29a8ab42084c6a68d315e9d64c0f7ab450656bad143032e0ec8f6c408f89f824b5744a1aa4f83f3d558af43abbfbda6b65299c06c0e

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 0d25449eea530a72236fbde585727582
SHA1 735736725eafbc0753eb1fdcb9d3b16a817a60a3
SHA256 4b82519975f239630222ab5a194f5d382f49eb6817f570de0440db5574165ff3
SHA512 3e81b17af8593210725a515ee1b5a2d0b4cee5eb2f3cf9b53d4e8cf2b136fc23a54f40cb179b5e8adc1249284394392d16e1f5b27d66395b77bb0d4cf21a6f1e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 2dd6789b4d77e4f30cfba9014b7a2855
SHA1 35b1d5fc698821043778f187bf42bc4529b3fef6
SHA256 f17a2173d4c72840e3961a757a167037bfb5be40c8235ec77d614d58087164f4
SHA512 aed96081e51f4ef64d0d3f02100278661e78b2ff2fc8aea7209d4b229b9f1bafc0a46ca943f1242b748777e08c2f641caf3b72ce5935dd80f0c9f3ad10cbe069

memory/2496-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:24

Reported

2024-06-03 04:27

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cimwsbml = "gkdohbqkhv.exe" C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rnenmcla = "edcdtjppknptgfi.exe" C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bbkanbtabnskj.exe" C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bowefidx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bowefidx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gkdohbqkhv.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created C:\Windows\SysWOW64\gkdohbqkhv.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bowefidx.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bowefidx.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bbkanbtabnskj.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created C:\Windows\SysWOW64\edcdtjppknptgfi.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\edcdtjppknptgfi.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created C:\Windows\SysWOW64\bbkanbtabnskj.exe C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bowefidx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bowefidx.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFAB0F911F1E284743B4B819B3E91B0FB02FA4268023DE1C942E608A3" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BC3FE6922DFD173D0D38A749166" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15A4490399853C8BAA232EAD4CE" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FFFC482B85699136D75A7E91BD97E130593266446335D79E" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67F15E7DAB5B8C97CE7ED9234C8" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C0A9C2D83506A3476D277272CAE7D8665DF" C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\gkdohbqkhv.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\gkdohbqkhv.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\edcdtjppknptgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bbkanbtabnskj.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A
N/A N/A C:\Windows\SysWOW64\bowefidx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\gkdohbqkhv.exe
PID 432 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\gkdohbqkhv.exe
PID 432 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\gkdohbqkhv.exe
PID 432 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\edcdtjppknptgfi.exe
PID 432 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\edcdtjppknptgfi.exe
PID 432 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\edcdtjppknptgfi.exe
PID 432 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\bowefidx.exe
PID 432 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\bowefidx.exe
PID 432 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\bowefidx.exe
PID 432 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\bbkanbtabnskj.exe
PID 432 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\bbkanbtabnskj.exe
PID 432 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Windows\SysWOW64\bbkanbtabnskj.exe
PID 432 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 432 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\gkdohbqkhv.exe C:\Windows\SysWOW64\bowefidx.exe
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\gkdohbqkhv.exe C:\Windows\SysWOW64\bowefidx.exe
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\gkdohbqkhv.exe C:\Windows\SysWOW64\bowefidx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9085257f73856569fae373230fbc6d9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\gkdohbqkhv.exe

gkdohbqkhv.exe

C:\Windows\SysWOW64\edcdtjppknptgfi.exe

edcdtjppknptgfi.exe

C:\Windows\SysWOW64\bowefidx.exe

bowefidx.exe

C:\Windows\SysWOW64\bbkanbtabnskj.exe

bbkanbtabnskj.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\bowefidx.exe

C:\Windows\system32\bowefidx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/432-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\edcdtjppknptgfi.exe

MD5 f4a24b77fe6f694da7ca26b93c5bb4c3
SHA1 7d2061e66d2c0fea83dd997d5eef250e8440ab42
SHA256 572b0cbe26cb7c1e503939e8a14c463cff6295e92e3afd8800c7fd9d32548783
SHA512 8124c95dee0a3eb738f795f422ec32e50fca9dd93d80b81451e9e3f4d7b20cc62c32d17589dec1d1fbb809b2fc19d4ebafda6f6e915c6355c0109f3015baf808

C:\Windows\SysWOW64\gkdohbqkhv.exe

MD5 c65d2cb2ea4027ad13904802d8a64139
SHA1 b2ad673b2c7212d11772c0fb91b5783bff081514
SHA256 b7e8ba7243e977970bdf5d454122f192a57bea0ec31b34656e6e20f7466b6034
SHA512 0c05e0cccf45e0ff7579fa13fe31868e7a083ce998c9f118c858cb5c5ffb6bea61e37c3eb286ecaecdd779180761ac27e9b92ea9b5f2e6a201b6554153a918f6

C:\Windows\SysWOW64\bowefidx.exe

MD5 cd036d85bd724b179c8fb3d646cd7c86
SHA1 071c59fd92375b87f602f100082b0ac60af2bcc4
SHA256 c6427537867fbef27304001cad488fa2cfc6fc9318e8d853f114e360ac2c7f55
SHA512 489052395b00c1c8abd140590b5bc904b25d5d3f4b7671a1e548769c70e0e7b59874ecbe37ae2516b1e3739b0996179398c35e541b9c917bc98c12eaeed7632f

C:\Windows\SysWOW64\bbkanbtabnskj.exe

MD5 c879915358bfe32c24e1f971b7e8d219
SHA1 516c6820cf8f476c33ad14edbf72189f49a020b5
SHA256 e224008f710c1a17a6c419efd2d2de334e1eac40f2d5a45667f42f4b81a59491
SHA512 c4bf072db2cefcc80e71c023a4e867c97d0a79346d087f1f6e5c660299c1f5c8db716d750f81c7225835f06bd53ee17dd4eed29cc4d592ca6a20f13fce11f9be

memory/1764-35-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-37-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-36-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-39-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-38-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-40-0x00007FFB02ED0000-0x00007FFB02EE0000-memory.dmp

memory/1764-41-0x00007FFB02ED0000-0x00007FFB02EE0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 22f4dc02c38f69d35aa482201e854054
SHA1 45950783afa16d22cec71d8bf07e253244fafec3
SHA256 a3362bdf5f1d1e3bcaa08f969b353c6421240d4bdc13d4839f646098aa2b21d4
SHA512 48c8d70a5de6d0f649c575d7527105d2e9649c11c546b0d14d8cc5d93a68816de87dc9aa0cb640a7540d31313894e7e417559c7c533372d3d9b4ce4a00ddb451

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 309487341eb00793f01996594cb4930f
SHA1 686ad07b37c0dcdc2bdceb2f11f0962c7698cdf6
SHA256 b735100996bb5c9774c069f3915fa503ba0980c4b6f1a9b0aff55dd6fdb2f1d1
SHA512 4566c24088a673dad7a03d185343ef58c57b62673ee7f059d0f4b9547f6d7e4ae401a0ed88dbc91084f583e72d1c00bef8c6dd16d35ff358d99d80f6ffd3d2b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1ff2246e450cef083580883b47b2f1be
SHA1 396063149c13633cd604ce4d2b80ed2e6d20eded
SHA256 e6b977b777f4ff7a90216dfaeb108a0804a26424323e49f38563a7f5ba8360ce
SHA512 305111b5f40e6732ac012aa2c4ff481810379b6c7a3ef4fdc1b97d24aa9a3e5826ba89b0766ff81ea2796d99bc01422796f03203d1acb17fb956631513c1a36b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e1bbb85be6a5634897e0106ea20a2bc2
SHA1 6888b298c60e2d7f28ac8aadac41f6e36e1bc92c
SHA256 55d94efcf88bfbf854951cf97b177140c3801419a021964483fe168f74b5c7c8
SHA512 8e1a7da4450425fe66307a1ebc03be130331cdda8e6acefa7e436148cb027d0cda6cd2e32fa5bed70f781426f1e77c94977a7d29bbd2c8c4299d2f153526750a

C:\Users\Admin\AppData\Local\Temp\TCD966E.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 14bedae34a11c187dc1788b7c1ea62f5
SHA1 484f020ddf2c9234873ce6cf7f453955e2654a8e
SHA256 9c158f93431b9cbd0641eee6545b6a14626de8ded896f41309c999deffc69b5c
SHA512 38e0be5c23540e7bd9c4c864be8d040c6d565ba0bb803b853493d08ff4eeedfd45fd1077f82036b1c0e4c5737ada957f24962ff80870fade75df756b4e05d29a

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a605e4a84820efb192bf71a571af0403
SHA1 67bccae664eb786b6f7b1fb83e0858a81d18cb83
SHA256 20e503e174884239f686b5aa1090a9f0feb745e3c0e6599099d9911c47914a04
SHA512 e428e372c40ee9408dcf1fb65c4edf8f5e4aa355cfc367ffe2566449fcf1fc31396fa07a3322c59bae187e7e86d86af12e0d58f578ef34821b1ae627a73ad883

memory/1764-604-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-605-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-607-0x00007FFB05830000-0x00007FFB05840000-memory.dmp

memory/1764-606-0x00007FFB05830000-0x00007FFB05840000-memory.dmp