Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-h7rjtshb39
Target 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118
SHA256 f6b159c8e4bb247707be0d044837853e913065bc2c0c0e0d4d23dd3148afaaad
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6b159c8e4bb247707be0d044837853e913065bc2c0c0e0d4d23dd3148afaaad

Threat Level: Known bad

The file 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:22

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:22

Reported

2024-06-03 07:25

Platform

win7-20240508-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\shepudktgt.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\shepudktgt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ppnpqtwk = "shepudktgt.exe" C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fadgchdr = "wqootfsbvvudioe.exe" C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kblhixibkspxb.exe" C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hyzqdpem.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\shepudktgt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\shepudktgt.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shepudktgt.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wqootfsbvvudioe.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hyzqdpem.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kblhixibkspxb.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kblhixibkspxb.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\shepudktgt.exe N/A
File opened for modification C:\Windows\SysWOW64\shepudktgt.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wqootfsbvvudioe.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hyzqdpem.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hyzqdpem.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hyzqdpem.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyzqdpem.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B05844E438E353CAB9D232E9D7CB" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\shepudktgt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC60915E6DAC7B8BE7C95EDE537CB" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C0B9C2C82246D4276D470562DDA7DF265DD" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\shepudktgt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\shepudktgt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\shepudktgt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\shepudktgt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9CCF962F19684743B4781983993B389038B4214033DE1BE42EF08D6" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\shepudktgt.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\shepudktgt.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\kblhixibkspxb.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\wqootfsbvvudioe.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\SysWOW64\hyzqdpem.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\shepudktgt.exe
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\shepudktgt.exe
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\shepudktgt.exe
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\shepudktgt.exe
PID 1532 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\wqootfsbvvudioe.exe
PID 1532 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\wqootfsbvvudioe.exe
PID 1532 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\wqootfsbvvudioe.exe
PID 1532 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\wqootfsbvvudioe.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 1532 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\kblhixibkspxb.exe
PID 1532 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\kblhixibkspxb.exe
PID 1532 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\kblhixibkspxb.exe
PID 1532 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\kblhixibkspxb.exe
PID 2100 wrote to memory of 1972 N/A C:\Windows\SysWOW64\shepudktgt.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 2100 wrote to memory of 1972 N/A C:\Windows\SysWOW64\shepudktgt.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 2100 wrote to memory of 1972 N/A C:\Windows\SysWOW64\shepudktgt.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 2100 wrote to memory of 1972 N/A C:\Windows\SysWOW64\shepudktgt.exe C:\Windows\SysWOW64\hyzqdpem.exe
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2468 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\shepudktgt.exe

shepudktgt.exe

C:\Windows\SysWOW64\wqootfsbvvudioe.exe

wqootfsbvvudioe.exe

C:\Windows\SysWOW64\hyzqdpem.exe

hyzqdpem.exe

C:\Windows\SysWOW64\kblhixibkspxb.exe

kblhixibkspxb.exe

C:\Windows\SysWOW64\hyzqdpem.exe

C:\Windows\system32\hyzqdpem.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1532-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wqootfsbvvudioe.exe

MD5 7645aa45c5b8746b4a34f9cf4eb77ff0
SHA1 4572d1fe871067424e5d3d2e7b7bdf792c55970d
SHA256 59fdbc19bfc0fe5b7701bd4ff8d71d0910cf8d976408b9912f6b61cc0ca0d202
SHA512 6827fb85e1d1009889bf1badafe3558d5d47670e479e68cdb5ea9732ab6b5a03cab869ff0cb25c95a7ec1daeab74fd7d2ec347e0a5cab2e954c6a72f62717ec5

\Windows\SysWOW64\shepudktgt.exe

MD5 5adf39088d6c1ec648f604e6c74758b0
SHA1 7769268d867accaa120db47f49d17fcfaa3dce11
SHA256 a42c6b92564d3c4aa2dc2aa32f5e21a3107d2312edee2591bdb42f7b883b90a6
SHA512 9d68ab69c0709deafefd6514bda9dbb10cb548c4d1e287982ccd617d0b9374a80446533205d8b4a9710f0daf457bf458478eabcd5d456ab47ae99d240d488a14

\Windows\SysWOW64\hyzqdpem.exe

MD5 254306bac88b4bc66670286aeeeafa3b
SHA1 700b3633064564c44a65ec8b1318042ac76bd652
SHA256 21884f7885565687529bcfcce037a98c7d549b961fdc62899d6890faa15e9877
SHA512 989ce155a122983e3eb58b2bba8d765ad906eaaca89e3d60a47f8338d75f3f3e177ea3d8018689efbd1f1d1a8615c9dc838072914e8fd5f7800cbeb2dc51885b

C:\Windows\SysWOW64\kblhixibkspxb.exe

MD5 275f2c1d0b3c40ac9aa69d2c6420d63b
SHA1 b1b5a09fe809dcc032ca8aa225c1b9dba75d3734
SHA256 c6a8a0f7ba61c528d510f173b0cf751078954278500f0064ae235b4a2c353adf
SHA512 8256710f98f5194a779372fa899a8e512d0a3a7ffeaecb628817881c52ac7a9b77fc5703c99814db6228beb77e0ad360c63435f32ebb65fe57a6ea8ad70332b6

memory/2468-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:22

Reported

2024-06-03 07:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjiozylw = "vjlwacwfji.exe" C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xwxhvkqy = "yerkmrlagdeoiok.exe" C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lrbnmpgmgfjbk.exe" C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\audrlbrc.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vjlwacwfji.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yerkmrlagdeoiok.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created C:\Windows\SysWOW64\vjlwacwfji.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yerkmrlagdeoiok.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\vjlwacwfji.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created C:\Windows\SysWOW64\audrlbrc.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\audrlbrc.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\audrlbrc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\audrlbrc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C0D9C2582586A4676D377212CD87D8464AB" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB02F4795389953B9BAD033E8D7C5" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70F1493DAB3B9B97C94EC9F37B9" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFAB1FE16F192837D3A4386973990B08802F043140349E1BE42EF08A1" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFCFC485D851F9135D65C7D92BDE0E135594167366345D79F" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC6FE6D21AED17AD1A78A759014" C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\vjlwacwfji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\vjlwacwfji.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\vjlwacwfji.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\yerkmrlagdeoiok.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A
N/A N/A C:\Windows\SysWOW64\audrlbrc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\vjlwacwfji.exe
PID 3856 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\vjlwacwfji.exe
PID 3856 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\vjlwacwfji.exe
PID 3856 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\yerkmrlagdeoiok.exe
PID 3856 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\yerkmrlagdeoiok.exe
PID 3856 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\yerkmrlagdeoiok.exe
PID 3856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\audrlbrc.exe
PID 3856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\audrlbrc.exe
PID 3856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\audrlbrc.exe
PID 3856 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe
PID 3856 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe
PID 3856 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe
PID 3856 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3856 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3224 wrote to memory of 1464 N/A C:\Windows\SysWOW64\vjlwacwfji.exe C:\Windows\SysWOW64\audrlbrc.exe
PID 3224 wrote to memory of 1464 N/A C:\Windows\SysWOW64\vjlwacwfji.exe C:\Windows\SysWOW64\audrlbrc.exe
PID 3224 wrote to memory of 1464 N/A C:\Windows\SysWOW64\vjlwacwfji.exe C:\Windows\SysWOW64\audrlbrc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\vjlwacwfji.exe

vjlwacwfji.exe

C:\Windows\SysWOW64\yerkmrlagdeoiok.exe

yerkmrlagdeoiok.exe

C:\Windows\SysWOW64\audrlbrc.exe

audrlbrc.exe

C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe

lrbnmpgmgfjbk.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\audrlbrc.exe

C:\Windows\system32\audrlbrc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3856-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\yerkmrlagdeoiok.exe

MD5 4b839785987e710d519db9ed9867037e
SHA1 d77f42dcfb08a208ac6fdae5f0f60515bd50b6b7
SHA256 657141110bdfc16ce590cf3d9a02613b1cfd6be995e81bec4e30e6ece21ca634
SHA512 1fed774a9c8d46a4f9353a8a5e85e1bf49c91f10ca77ea66459ce98932cbad8d7a905fe72bca34ca33401a918b3a0f20af6954c5efc8aee3a17c88a6cc177102

C:\Windows\SysWOW64\vjlwacwfji.exe

MD5 ce4c3af584ffdfcca42dc527aa43f425
SHA1 fc6bc811ce104bcbed8554726fb7addef7218c0d
SHA256 3df2e162bbd93fe367b86558c09cad17b80126edc50a26143914f18343fea59b
SHA512 298c5a5e8a0ba350d31af3e9c7332cbcc0d9053410b28afaca8ff5fdfaee1f95868ea0249a8e3096354b89754edbb16f5590bdfefd0c62e24dcd5f676b86fd1c

C:\Windows\SysWOW64\audrlbrc.exe

MD5 e2de2691dd01a0739035c9074692632c
SHA1 bc26520499b150522ee31a79a10004a1513fd7b0
SHA256 a376d72df0a047def446c2a80fa832fc5699efbc7ca885a55b443f9b173373a0
SHA512 aca9de607dc5e2c8f33a01f9fe91a877622405bd18c34d9fa5bdf3969f529e8ac2b76fe2f42b96a487e6f2b0f830ba6b87f2f171bff844172f61041ccca138e6

C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe

MD5 b3323ae127001bef0d669ed93ab69f4e
SHA1 5c163573cc64918384ce906f9c797fa91e5dd19e
SHA256 fb91b7f06b69fe3a9fa034e02985e59b8020d1bc5a88a1e22b1f0ebb0a613e0a
SHA512 6f777fcda49bd12e8c873e2287f4f13e176380ce02b38222b9307584854cca7fc06dc8401f4e536d5bc2b5bce9c0b95b48137faec132a6b9dcdeec6d5b82d4ea

memory/860-37-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-36-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-35-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-38-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-39-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-40-0x00007FFBCC510000-0x00007FFBCC520000-memory.dmp

memory/860-41-0x00007FFBCC510000-0x00007FFBCC520000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 fd9e27b035934bcd37ea7cde375f21b6
SHA1 a8a214548c09a68781d546efe04fbab273fbf54d
SHA256 82f283fb98184d4a4f73e011b4da4b1b20d8c15d8d4490855c1555b722a190b0
SHA512 9d7fc059bcd0769db0b07f8416943039531b8a92b7d410ffc6a45678008fa07ac0643a0cd14ddb92c0abae108a75b67ff8d767bf33aeea4048b0a5a33822a971

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 b73b80f1aa18b3895ac86ed299f77023
SHA1 d0fd5e0f2160455a49ed19ea12efe612b05a31fc
SHA256 f14ed51dc9c25903daec9d484546d08670dd672b4869b425503aef97397c6204
SHA512 1a94ec9e5b2df1a818f9879abb9051b14651a8ce7d50d2265d0ca6ee879191fca6d53793c8cae7b485c710d73f3030524d4b09f8bd935df9d862f7af7ee1490b

C:\Users\Admin\Documents\SkipResume.doc.exe

MD5 1fced686974406c6d296288744da77b7
SHA1 230e378fc23f64f56655269a90631e6086416e92
SHA256 7bf4ecc2c599254d438765794d2d872d54d0702509349111a5e3d96440c87c74
SHA512 0d4a2de5f7dee48fe97e03dad54229113b819f5763f7681425ece5d7ce04c967439074c9f0e5e7de8f020f36ee05d6c69e328a0bedfeb1151047c68b3af0106f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 17de95cc44b08f15cec3d71281c1645a
SHA1 95b8826825270b531374eedb963a141037228d18
SHA256 cfd697c2b24801e80742c876eb2f0b014a8a16b0ceaa04af229cf1956b88e5bb
SHA512 989b11fedc38dee4fcdbb48cc1129b18d3fa0cdd6303595582592bf7e16b662b5c52159e1d9b83f7482b4bddd09ddc189846a88941822de10f1fdaf8b80307f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 81ad03755aba9cc27bfb3d7a5f23b132
SHA1 fd4016a4d7b653afea2538149c69bf700a8d6134
SHA256 23177166987993aa5cac3430ce616e3ee308a2ce904bc156905f19e22017e32d
SHA512 f957cb9ab6cb3406a100af509459ae77411fd379c8323ff6a31158829ac7df68d0be6180a6ba85975e177cb8d36eb3e36a845380a6e788dbea42d25c109a1459

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c73bd2c78c10ffce4664b960eb788948
SHA1 bda8ceaf37d5e647c5f3b7d1862204724fed572b
SHA256 e3a88821422b8c81e6bf658e5066c99af0dfe008f3048d9ae39bf2f2c839917e
SHA512 06f3aad8ae1e5b3630cde16392a8ed88d4e4ce52b1483b4d7b42420bcb78db77407d769c287353ab96d4b0213e10ec2daff0f79464aa12e156bce72f3be7a4eb

C:\Users\Admin\AppData\Local\Temp\TCD9D5A.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e99433f3971a8270116923f0f531dbd4
SHA1 66297325908b264d625cd985dbf2dbb306923d1a
SHA256 2d9c1d19a4f9a108d696083f21023ad4b0c076801494376f47f7052ab06f8194
SHA512 51ca2e86078bb011a5d1f605d2205fb9baae8fd4265700211168f2bb9b2ef67c29cb4e938a2031fe09763ea4b9ce38500c7628f015421f44e0ae22f72ee36089

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 61b98f859c300fe1ae5d6ddce04f020b
SHA1 09a22d8e8b2b0d04e09063268dd0b579e695497a
SHA256 9131b72b49b1cc97f8bc7d3096c91008b02c1db9f737313139c651b9ee0b4169
SHA512 d81f943d46f0355e959bd2ec296c902ad2ef9f276fa612d78517beaa35d05217cbe69a1d15796e5c533a26d5d2b44b4bc16a3cfd9b4df1c67d6225e2bc0e4379

memory/860-608-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-609-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-607-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/860-610-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp