Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-knfz4ahd41
Target 912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118
SHA256 2ccf965e31d2cf0b56ecde5b126a7fe490276330c111ef8a32204745fb8cb763
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ccf965e31d2cf0b56ecde5b126a7fe490276330c111ef8a32204745fb8cb763

Threat Level: Known bad

The file 912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Loads dropped DLL

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:44

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:44

Reported

2024-06-03 08:47

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bllhqckdsu.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bllhqckdsu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vcctnpvkjctof.exe" C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\doezfzhn = "bllhqckdsu.exe" C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovcedbtk = "nbolotpatjftuii.exe" C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\czbdtgst.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bllhqckdsu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vcctnpvkjctof.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bllhqckdsu.exe N/A
File opened for modification C:\Windows\SysWOW64\nbolotpatjftuii.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\czbdtgst.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\czbdtgst.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vcctnpvkjctof.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bllhqckdsu.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bllhqckdsu.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nbolotpatjftuii.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\czbdtgst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\czbdtgst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B0204797399F52CABAD533EFD4BB" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACDF962F195837F3A45819B3990B38B02FE4315023DE2CB42E908A3" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70C15E1DABEB8C07CE6ECE534BB" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\bllhqckdsu.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\bllhqckdsu.exe N/A
N/A N/A C:\Windows\SysWOW64\bllhqckdsu.exe N/A
N/A N/A C:\Windows\SysWOW64\bllhqckdsu.exe N/A
N/A N/A C:\Windows\SysWOW64\bllhqckdsu.exe N/A
N/A N/A C:\Windows\SysWOW64\bllhqckdsu.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\czbdtgst.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\vcctnpvkjctof.exe N/A
N/A N/A C:\Windows\SysWOW64\nbolotpatjftuii.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\bllhqckdsu.exe
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\bllhqckdsu.exe
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\bllhqckdsu.exe
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\bllhqckdsu.exe
PID 1964 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\nbolotpatjftuii.exe
PID 1964 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\nbolotpatjftuii.exe
PID 1964 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\nbolotpatjftuii.exe
PID 1964 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\nbolotpatjftuii.exe
PID 1964 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 1964 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 1964 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 1964 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 1964 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\vcctnpvkjctof.exe
PID 1964 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\vcctnpvkjctof.exe
PID 1964 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\vcctnpvkjctof.exe
PID 1964 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\vcctnpvkjctof.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\bllhqckdsu.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\bllhqckdsu.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\bllhqckdsu.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\bllhqckdsu.exe C:\Windows\SysWOW64\czbdtgst.exe
PID 1964 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1964 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1964 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1964 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2440 wrote to memory of 480 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2440 wrote to memory of 480 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2440 wrote to memory of 480 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2440 wrote to memory of 480 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe"

C:\Windows\SysWOW64\bllhqckdsu.exe

bllhqckdsu.exe

C:\Windows\SysWOW64\nbolotpatjftuii.exe

nbolotpatjftuii.exe

C:\Windows\SysWOW64\czbdtgst.exe

czbdtgst.exe

C:\Windows\SysWOW64\vcctnpvkjctof.exe

vcctnpvkjctof.exe

C:\Windows\SysWOW64\czbdtgst.exe

C:\Windows\system32\czbdtgst.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1964-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\nbolotpatjftuii.exe

MD5 d345240e091327c27ece13b8b8348cdc
SHA1 cedb056f9c6887b512fff97a9ad05e67353e55bc
SHA256 4da170615c70b14cb1b2dba5908229d2604fe79323556d47d4a826b3814e4bbd
SHA512 c7cd44fddb352e6558b6cf9edff4738eca4cc461bb55fe28d0294d2d0da2504fd80cfd79209bf236d0bb0c799ba020476ff7d7f81c4ae8a7c09093543f0bc865

\Windows\SysWOW64\bllhqckdsu.exe

MD5 277f8c98c9f0493b4a4c779695c37e23
SHA1 aa94590303da08dd30e97f2c1f8bd21cfdd63cf5
SHA256 dde02f1ff081b7570adc707b7a5b9f3aa07239de8607575bd6e25040233bd816
SHA512 8a06a5158b3d5e5ad26f0e802a833aa095cf2bcdc10d241b21b18611bdc8f4787cfd4dc3a26bb77d10f38a13bde72518bdfff6249a84303195b37f52f12f48a0

\Windows\SysWOW64\czbdtgst.exe

MD5 8ccf44c0f70c089439a817f23b32d534
SHA1 9ceea91a355b8e5e172569e71eb3ce97bb01bb44
SHA256 6b056b57bd65600958de4e5a17ce10e05eddc7b965cf4155530d0126103d1805
SHA512 6099426fa99bb16fc3c12f515176f06c08d49d27ecc1fdc353f7fae3a3a09dbeee3581afa209f6acd6b028642bbe961497335f93feffe8d84c07ae6e4c493326

\Windows\SysWOW64\vcctnpvkjctof.exe

MD5 b0537bd26cfa6c7d80976361f7d4c896
SHA1 159fde5f32b46c1c3a61fdf2ec92281ad4276835
SHA256 84f5635ae1357cc8be7e5e8bd3592b3d5f55fa6b43a21ba6c5c758c6ae7f16d6
SHA512 cc159bb280b63f62ebf77bbd98d606003ee368f0fde61d9e8b3d287c3645e4957c76415a5ea5cadae77bb77fee4a04c766270181b8a5f4f4251cef3db1ec4595

memory/2440-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 988ae5f65694a31aed8cf5102c19ab46
SHA1 f9c382cb7e4c246ebfbc70a2a39bd18e4f79ff15
SHA256 5cc3c4cc49806126e426b2eefa360a2d48f03e1a6c28fa985ec4a95d2fff25c3
SHA512 90671b14b21c19fae206524abd8183812e148a4dab95f98e44031b0222cfefbca621e03e9ef93cecc49f0d970616f1234d2b47da7272c66786f1ea30b9e19d9c

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 cd4814584ad1e3ca614868fc4f360427
SHA1 3d9a60d5c0ea04ac3b944cc6c10344b14f60d761
SHA256 81317454b6c8a66cdc9d9e49ec32a741519573b8ec81ddcaf87777b2e77fe58b
SHA512 bcd17f315b889761c621d53d5b5bbee25126f7959271110c62a0bf747ddd1fa4bba68500c554dfc2d184db28562435ff3dae14acc3a20cff2866183195652341

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 75b0e3ed63a9557b75e041dfb2dcf1eb
SHA1 8f9d96de2c916919a89923d68463340570eac1d7
SHA256 134303015da4a68abe9d971ae27803c155b714f7bc190e892f68d577ff935e80
SHA512 ca1fd66ac029241cf4d467a2756cfe1635813334de0dc861de28ab4f3cd5475308a435ae9e31e1815bdef9115015f91373c7863e57caece10d698ba26dca22c8

memory/2440-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 08:44

Reported

2024-06-03 08:47

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\cefmycrjub.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cefmycrjub.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ybnqeufw = "cefmycrjub.exe" C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adcfcoin = "mlsmnhirihwhenb.exe" C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "krvjgixqtejqg.exe" C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\cefmycrjub.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fvbursqf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\cefmycrjub.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\krvjgixqtejqg.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created C:\Windows\SysWOW64\mlsmnhirihwhenb.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\krvjgixqtejqg.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Windows\SysWOW64\cefmycrjub.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mlsmnhirihwhenb.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fvbursqf.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\cefmycrjub.exe N/A
File created C:\Windows\SysWOW64\cefmycrjub.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fvbursqf.exe C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fvbursqf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fvbursqf.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C7D9C5683526D3576D377242CAD7CF464DB" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCFC4F26851B9146D72E7E9DBC97E63659426736623FD7EA" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FAB8FE11F194837E3B3286EB3E93B0FD02FC42160348E1CB42EE08A8" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B02C4797389852CCB9D133EDD7B9" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67515E1DAC4B8BE7C90ED9734C7" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\cefmycrjub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BB7FE6A22D9D20CD1D28A7F9014" C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\cefmycrjub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\cefmycrjub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\cefmycrjub.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\cefmycrjub.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\krvjgixqtejqg.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\mlsmnhirihwhenb.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A
N/A N/A C:\Windows\SysWOW64\fvbursqf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\cefmycrjub.exe
PID 1004 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\cefmycrjub.exe
PID 1004 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\cefmycrjub.exe
PID 1004 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\mlsmnhirihwhenb.exe
PID 1004 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\mlsmnhirihwhenb.exe
PID 1004 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\mlsmnhirihwhenb.exe
PID 1004 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\fvbursqf.exe
PID 1004 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\fvbursqf.exe
PID 1004 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\fvbursqf.exe
PID 1004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\krvjgixqtejqg.exe
PID 1004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\krvjgixqtejqg.exe
PID 1004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Windows\SysWOW64\krvjgixqtejqg.exe
PID 1004 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1004 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4348 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cefmycrjub.exe C:\Windows\SysWOW64\fvbursqf.exe
PID 4348 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cefmycrjub.exe C:\Windows\SysWOW64\fvbursqf.exe
PID 4348 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cefmycrjub.exe C:\Windows\SysWOW64\fvbursqf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\912a2ae7ccb86ad17bf4cc6c1d05c914_JaffaCakes118.exe"

C:\Windows\SysWOW64\cefmycrjub.exe

cefmycrjub.exe

C:\Windows\SysWOW64\mlsmnhirihwhenb.exe

mlsmnhirihwhenb.exe

C:\Windows\SysWOW64\fvbursqf.exe

fvbursqf.exe

C:\Windows\SysWOW64\krvjgixqtejqg.exe

krvjgixqtejqg.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\fvbursqf.exe

C:\Windows\system32\fvbursqf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1004-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\mlsmnhirihwhenb.exe

MD5 961858cde6483783185294a6589d7d91
SHA1 a14021fd33eabb4f232adff0d7a0291e7aa03230
SHA256 142d9989578014db7eabf6987b086cd62cfcc0fe0f91ebc1e79d0821ea312055
SHA512 47eccefc27705147453e0685801a1549db53edea6429a6506d0535a8aa5e46a0170368b22394682c11ebd3ac17cb70cc2a6f635813b3428845dcaffbbfb20187

C:\Windows\SysWOW64\cefmycrjub.exe

MD5 511a5cab987e7e6d1a126235ff3832f5
SHA1 71b98d3345925b0525aa4f7b176a10557debf28d
SHA256 5ed5630893cb2ce3f65338bb7f0364caa39cf57b6a7cca486b35f6ec1aa2f505
SHA512 acaaca93a86eefde1c3ef3ccff42aacb783160e90dc12dd64ef24dca6e8fdf840d4c82aa10be5297399d46be7462e6d0496f084904ad06c71486df53d12de68a

C:\Windows\SysWOW64\fvbursqf.exe

MD5 aef78c7885e44f2cded8057b57db1630
SHA1 1db2139f4e3803473da380aa1b76a0de2476d11f
SHA256 52a6bafed8a6d6339fbc662e94c537351ba3b6ac52a45a4f8b80bdd53f795c16
SHA512 5c99af48e076b5bd88a3ccc0a7274da15bd9c4826c9e67836cb40d409aaf8d740cd6c5b561c90f184b231fb1af1b2bbc143db82c19a3d2066aee1c17d7831195

C:\Windows\SysWOW64\krvjgixqtejqg.exe

MD5 f86bc05b886c330e65f9fe868617dd5d
SHA1 ccecad45e1ab5b5f3fc609d5adc55bb1cc23d854
SHA256 bed6d97ed0dd022a789ec9cba65574a39e7c584923162c2531d18ddc1b5db20c
SHA512 5e3b0778813eb420a0fd7fe1fcdd7ccc4af8bc2e9aa53068d4276054d9489b28dbfd1a3d8a8907ea8424dee3275b93341cb7e848dff6bcb120ac144fa7b55697

memory/4284-35-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-37-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-36-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-38-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-39-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-40-0x00007FFCE2890000-0x00007FFCE28A0000-memory.dmp

memory/4284-41-0x00007FFCE2890000-0x00007FFCE28A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 50de6e4d07d5ccd680a54f13bb2a7644
SHA1 7400fc6dfb5475de7e838704fca58b6a8edb7023
SHA256 a68ed6698c18d5960b422a0a4b213435ee222dc12a1a1852904d240c61b8471d
SHA512 a4ec876a411a89a1518a606c2bd6271e38469556358f0a8b05d7ab7180e88b272587ce964506c6185803f1cdaab76f4b9443535812abff8c6020a3facb456ce5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 29c276c363c88c6079d1b7b52954d52c
SHA1 c93017b2bd55831e9669c25e8e249228cb1a8974
SHA256 0418102128b207927aebb827372788aab0093005c4327725f6de10acabce9968
SHA512 82cc016f4a15c0cc86b99672d6195a58b60ac8985ac9b308658c52ad0f3079136fec37711398fdef238ccbf97d4ec0938d003e5d927345348bbcd5439de3e936

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3f8a76e35a2bdbe497f384c9033d1e5a
SHA1 d1b10cfc1933f990ee6e924a4e3cca20b87ead39
SHA256 669136f692abcb3c17c076b3b1ce9dee26eec479ee40e57ee67d5b2e3b803633
SHA512 dea513da88ff4d06abdcd44f6884f57b7a39683845e6443a632708f442dd6a99f62897125168276a705b8a7be842a6f9a03e152de14557bfb5654ce0bd499728

C:\Users\Admin\AppData\Local\Temp\TCDA56F.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b360b95891ce2790d69511beab66419c
SHA1 d0467be40259bcf19453b35ded5cc3a6bfe3452c
SHA256 05bf4146970537a0a1cbdd4262fda7f52ddbfed4d98c49ba3aee03b7ae3b5150
SHA512 94c746c4af18396fbf7fe9c96e5b680872c3e7ab58c085830026c2528bfeda2f6d89fc64db3eb3bf00801245de75f21edd72646d2fd7c27fb114a9cb54322e0e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d07d5f3a315f18e2a4de060192509dae
SHA1 d79e61c9b01b6edb030f41cbadfdf6a3cc00e348
SHA256 6a84923eda02a7a546a5d3f9ef42e483c647b62076bb53b7246fdd149ffa26d1
SHA512 2c706bd016f1002a5e928552a1f31d9ce7edc1fd1d45c4c2e53a2f0c491cf5d2634938f79554fcb038b703405488523d316b42738ad00715a918239d7550ba11

memory/4284-604-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-603-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-602-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

memory/4284-601-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp