Malware Analysis Report

2024-11-30 06:42

Sample ID 240612-vre73swgkl
Target a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118
SHA256 c41ec9945d19d68f73e29d248ba50f228f689f58db5206672744bf3cd8be1e6c
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c41ec9945d19d68f73e29d248ba50f228f689f58db5206672744bf3cd8be1e6c

Threat Level: Known bad

The file a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Windows security modification

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:13

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:13

Reported

2024-06-12 17:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\xfonensezd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xfonensezd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hhmahmfa = "jxtotyapmyfjift.exe" C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ahnrcceglphxq.exe" C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oypfzpoc = "xfonensezd.exe" C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xfonensezd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xfonensezd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\xfonensezd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\jxtotyapmyfjift.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vvtfflby.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ahnrcceglphxq.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\xfonensezd.exe N/A
File created C:\Windows\SysWOW64\xfonensezd.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xfonensezd.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jxtotyapmyfjift.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vvtfflby.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ahnrcceglphxq.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vvtfflby.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vvtfflby.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7E9C2683516A4276A577252CDB7C8464DD" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\xfonensezd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\xfonensezd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\xfonensezd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C6791594DAC5B8CC7CE9EDE334C8" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF8F482E82139142D75D7D90BD95E1475847674F6236D6EC" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\xfonensezd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xfonensezd.exe N/A
N/A N/A C:\Windows\SysWOW64\xfonensezd.exe N/A
N/A N/A C:\Windows\SysWOW64\xfonensezd.exe N/A
N/A N/A C:\Windows\SysWOW64\xfonensezd.exe N/A
N/A N/A C:\Windows\SysWOW64\xfonensezd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\vvtfflby.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A
N/A N/A C:\Windows\SysWOW64\ahnrcceglphxq.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\xfonensezd.exe
PID 1928 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\xfonensezd.exe
PID 1928 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\xfonensezd.exe
PID 1928 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\xfonensezd.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\jxtotyapmyfjift.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\jxtotyapmyfjift.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\jxtotyapmyfjift.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\jxtotyapmyfjift.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 1928 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 1928 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 1928 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 1928 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 2660 wrote to memory of 1364 N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1364 N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1364 N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1364 N/A C:\Windows\SysWOW64\jxtotyapmyfjift.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 1364 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 1364 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 1364 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ahnrcceglphxq.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\xfonensezd.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\xfonensezd.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\xfonensezd.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\xfonensezd.exe C:\Windows\SysWOW64\vvtfflby.exe
PID 1928 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1928 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1928 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1928 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1580 wrote to memory of 780 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1580 wrote to memory of 780 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1580 wrote to memory of 780 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1580 wrote to memory of 780 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe"

C:\Windows\SysWOW64\xfonensezd.exe

xfonensezd.exe

C:\Windows\SysWOW64\jxtotyapmyfjift.exe

jxtotyapmyfjift.exe

C:\Windows\SysWOW64\vvtfflby.exe

vvtfflby.exe

C:\Windows\SysWOW64\ahnrcceglphxq.exe

ahnrcceglphxq.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ahnrcceglphxq.exe

C:\Windows\SysWOW64\ahnrcceglphxq.exe

ahnrcceglphxq.exe

C:\Windows\SysWOW64\vvtfflby.exe

C:\Windows\system32\vvtfflby.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1928-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\jxtotyapmyfjift.exe

MD5 4923fb00dd1fcfa3c27cf1402f634bce
SHA1 5a24b102be730dfc7d2d1d9d172e7e6c75d329a9
SHA256 d65a172ed96bb4d7b8b0cde7d7de8a989c72d62900ad4578288c5bbc1567b9b8
SHA512 0e89b4d8b71d2bae39e14213308027faec322b351accdb266cb75c2b4db04f1969964715121ea885aa5d9c62c8fec50e250b8ae729a50019909cf2a67bf5bab9

\Windows\SysWOW64\xfonensezd.exe

MD5 1e00df871347d47565fac134b9bd35b3
SHA1 a2d964c442e045a6285cfa6e61287ac82f939d58
SHA256 5aabda96ccea517d13fe1d896e22084209ad01b54056aceba4930fe25a928873
SHA512 bb2fc4b7e87f17b24e268c056199bcc8f8dc7e182b36fa96c5f46eca6ccf8c9e42088a60931f732796c070707091316e0267d834ca4d6678e95abfe7aaf49bd2

\Windows\SysWOW64\vvtfflby.exe

MD5 dd16cbcc812271779017537e3c234c78
SHA1 7b0da530b8f023bebca14383267e55430ecb2442
SHA256 6af3aad444642661cf1fc5820fe4f84da446a2f9e9334e9819fc8ad451d67b83
SHA512 42e15736a47514ef0056310e2bfe0303aafceeaf129e3592b80bd4a0e4c9dc0b8209ddc17a0497ecae7cb875e5ae5206d451cfe50b9aaac2187ac5ee3c32932e

C:\Windows\SysWOW64\ahnrcceglphxq.exe

MD5 2f5c480f350cf58f7e92fce4079a73d8
SHA1 b40397f77b2de184683d46a17f740892d7235068
SHA256 72edbde594f3fafea23c76d071ae11dca389993cddd8baca35c4c61b37e0326c
SHA512 50b76b1da5d85119e6abcbfdd24bd6950dc936e5e99ad09761283dce14867e9a78b07ae3fe5ccb2ab81f3e31cff4b44214723d3e310f5b981af3988705892e17

memory/1580-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 18c79702fb77945d7e4c23d4d448dc71
SHA1 35bd2837fbdb92be52ed1f60b82467821670d1e4
SHA256 6aae9aa21600bd2f2913e3109a506c90c679bf6e996f49af7252e2263f1e0071
SHA512 b58b42829e682c351222bcc67b74bfd2393a66a7d835f979b5ed27ac1529afc6459a9beed99dd669566ab48844068543ef2e0a08c33097b364866cae99b48f3e

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 d75c7c4901bf9b52e8f773bacc6046f8
SHA1 cce733dcb4b551ab80c794ade8353c6b07e9deb0
SHA256 0fd94cc57ed47beb96d46a2db2a90947be0193a4a92245b733c74cf0e30ae9c5
SHA512 6f1c1da6a9be5ba12dcd06cbc05b165ca119316b56b3ec766ef30abed42524f3e3ed4e8f3ec99ce8e03ff8678286f5c6160996f96f3632cacd25021176e2126f

C:\Users\Admin\Documents\SetConnect.doc.exe

MD5 8fb94fb567ce221229be326bbedd1db9
SHA1 6d5f5a8d5974c072cce8bdf0b9b61d5328fb34c8
SHA256 cf11c90d926b8e440b9641138bf6315b71032b97e014cb5b2c302c819f399f92
SHA512 8ad9122abc2e47b49a80ab79a1195a5496de811c6d3fbb1396dc0ce591fa30584dbd2a162be7413f5bd502c859eea0f7aa8f59774181fc62e2324296c0530fa1

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 3d635a7c092dce33e445faafb0f3226b
SHA1 e2c7cbec46e70be89537b8c7d96ff5940dc9e9cf
SHA256 e3e511a23ce9a406abe957074fef67bacc27545faade972e622da14dc871d803
SHA512 2bc0e0d25d0f6e917d68632128508e4b24061010ece6875f340988c00455ca98d064738b3805122799389d9f1f765cb5445f38562111144d3a845c036dfe6a73

memory/1580-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:13

Reported

2024-06-12 17:15

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hxwdzjpi = "bjjkinlfpr.exe" C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lcjutccm = "zyuoomqzkgwjyby.exe" C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dunodhoucxlls.exe" C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vpcvkusk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bjjkinlfpr.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vpcvkusk.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dunodhoucxlls.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created C:\Windows\SysWOW64\dunodhoucxlls.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bjjkinlfpr.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vpcvkusk.exe C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\InvokeSend.nal C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\InvokeSend.nal C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vpcvkusk.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C0D9C2383546A3576A570532CD87C8E65DB" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668C4FF1A21DCD17AD0A48B799163" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9BDFE13F196837F3B35819A3EE2B0FB028842160333E2BE429B09A3" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FC82482E851E913CD72F7DE1BC93E131583067346332D6EE" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60B1591DBBEB9C07CE7EDE434BD" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02A4794389D53C5B9D733EFD7CD" C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\bjjkinlfpr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\bjjkinlfpr.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\dunodhoucxlls.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A
N/A N/A C:\Windows\SysWOW64\vpcvkusk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\bjjkinlfpr.exe
PID 2848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\bjjkinlfpr.exe
PID 2848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\bjjkinlfpr.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe
PID 2848 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vpcvkusk.exe
PID 2848 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vpcvkusk.exe
PID 2848 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\vpcvkusk.exe
PID 2848 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\dunodhoucxlls.exe
PID 2848 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\dunodhoucxlls.exe
PID 2848 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Windows\SysWOW64\dunodhoucxlls.exe
PID 2848 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2848 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2820 wrote to memory of 2212 N/A C:\Windows\SysWOW64\bjjkinlfpr.exe C:\Windows\SysWOW64\vpcvkusk.exe
PID 2820 wrote to memory of 2212 N/A C:\Windows\SysWOW64\bjjkinlfpr.exe C:\Windows\SysWOW64\vpcvkusk.exe
PID 2820 wrote to memory of 2212 N/A C:\Windows\SysWOW64\bjjkinlfpr.exe C:\Windows\SysWOW64\vpcvkusk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a174c4cca3d2a926f7f0d93a3064da6b_JaffaCakes118.exe"

C:\Windows\SysWOW64\bjjkinlfpr.exe

bjjkinlfpr.exe

C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe

zyuoomqzkgwjyby.exe

C:\Windows\SysWOW64\vpcvkusk.exe

vpcvkusk.exe

C:\Windows\SysWOW64\dunodhoucxlls.exe

dunodhoucxlls.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\vpcvkusk.exe

C:\Windows\system32\vpcvkusk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/2848-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zyuoomqzkgwjyby.exe

MD5 39d6506489f5e92c4fbfb61a16d0794a
SHA1 7cf264c9502a6c628c57a1ce5c5b31765ba41081
SHA256 fd1f504bf28672474116bf79e6e141276f347e542636c25308761d2bd35b6cb8
SHA512 741dabe4c79b1229bb89d652de75f90ebbf5771efea1df35a499fa2decec51d1339b36d3a88877c130d31014953344b2125cc1bd9496cae5013530d15edd44a0

C:\Windows\SysWOW64\bjjkinlfpr.exe

MD5 8774f06e2fcc3d9267a2876b1039aa45
SHA1 543958dfe9681b07ca80b889b85f15649f95ad31
SHA256 7e69f30060a02ec45b22ef59b70815e931c03c94aced49a812f6af6a842de451
SHA512 a3c3b44a26ca24b38a6554a8260c98ac219d3fa7e7b83ea2a434dbaaeacb63f2a5b0c2208f8de5b7d1bafbf344d5b99de6208c02a0889e8c77b68dd7ffc29ea2

C:\Windows\SysWOW64\vpcvkusk.exe

MD5 fc5c26eb0c370fee27f82a0ef826636a
SHA1 3ac09194a42503f520e79cf36262ded9e5a99665
SHA256 86c3cce57b9595dba325ec9f50fdf5bc6aaa61a39690caa58ca405ebd1d7215a
SHA512 b1340deaf6605e93527663195226d6b3f415915b99261b452163364490faa410ed4b22c07b1b3fb77677f5d26bebb1b7c9c765681ce3b7d53bc8a4335012c760

C:\Windows\SysWOW64\dunodhoucxlls.exe

MD5 260382cd62cea7858e772f9b67063978
SHA1 cb215103c12c6c75a34aba039e79f43b84a62fe4
SHA256 425c439dee6d7523423c6f61ef46227819eacc92059668145aefda5f6dabe709
SHA512 a1752571cee74750d6da521046ccb01318cb5de5c87749a017b21213e333afc377c9a22deb166393fd5119195b5eb86a241385d73fbe860f0914e72ecbc4eceb

memory/3624-35-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-36-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-37-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-38-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-39-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-40-0x00007FFCA7390000-0x00007FFCA73A0000-memory.dmp

memory/3624-43-0x00007FFCA7390000-0x00007FFCA73A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\InvokeSend.doc.exe

MD5 b9159a991d2d77624179cd701eb41f4b
SHA1 e6f478e9b9a6cdab6352a50b376136c98a37a64b
SHA256 99f347fe0d50be680138ec2282431cd98090157265daaba0da1301b76d17c522
SHA512 4fb877801c6c1bc82251ac4e9dc1994ac756549d089beee2d3335fbbca97338a8615541e4031d3a29a70fd9ddf7ab4be61698e435e9d220a57d6d7f33a36069a

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 16f626d9cdb749fa157de0bf766a6a45
SHA1 6a60a6fe49957c1271748b0908f825426783b7af
SHA256 e316260a7f553a1d080c71cd1038d030f71f601de087ed77010d455bd352f7c9
SHA512 09ce6ee607853c44ce39a7a45d571c526d5968de32b6aad6384b9675f877f51ecca08f5f425f1c867730011ff81f8dbb37a1a93fbcbf867bb7b4e3026f5632ae

\??\c:\Users\Admin\Desktop\DismountResolve.doc.exe

MD5 f93b842e42f580ce93f19b0ba9aa9504
SHA1 ee92f5dc997eaf99ef97b28243ea82f77b284faa
SHA256 95f971b477e4facebe45c535c1e1790e34029a8fb9d26e845f90231c682a6924
SHA512 b148ca110754a447a293660f33534f7230656b33ec3c5a4a16e849980f9f911ac4842fa25a0ed1a288f2f3a82f50d46545626e7aad00a08cb043e9ce6112d3b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 dae675084917eaebbdc2a98cef55056f
SHA1 e9c4f193a70cbe9629fcebd739d8a7867d0bdf8e
SHA256 10ad0ac4ba5088911b2e024231d3fd507734357a004d81b83d4121accc3b326c
SHA512 ae226d5c1557481650cea64e40bc6711c073014f9369e8c5062304a1e4f5246c01a8a458e7a34217c9c626f85f7f383cd88df3c5342282c82ea374fc78833d83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e4755d83c6472a744f0a321e916ae5bb
SHA1 29d005c02c855f14fce54b6b22a3cee1e2f3c038
SHA256 f77cd481ac6708e724f89f0d379e582653727e8213e67cbc4940797dbceeb0f7
SHA512 ee65bba3f9d3f9bfd396407761712ceef3e610d66e656bd2d5bf46259e2db110c6951ab454ca4cfdeb6bc2d63844415cbd54d8202b4b46ed0dbbdf8e38e8159d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c28147cbb28b38441089d305b855f6ac
SHA1 08ceafbca1bf5bde55712a99e290e1cc0dac2bf7
SHA256 6cfb97bf1cb22256dfeddea64ca6e34f2dd18d9849e34ba20356a245f374c0c8
SHA512 56e0b5ab46f5634040435a5a55dc8e01d56f53089364d5728c3d9f93458054da54320814e7d0411c314c0cc782a8ad11bcd462c33815f3efd7bc010269353295

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 ad4560e36ace50a3bb534f2c45500cc2
SHA1 625e61dacd714aa2f0b89759f2abbb525cd8891f
SHA256 37d0c8b5816d92b92cb200fb19ec9dba725506916f7b164b3f9e1ca5be4726b4
SHA512 0f95f5162bbd91b3039c7f9b8c64ee7d097e09a4159c8ff70bbb897e9445cd18bb81c27af4ef478c9778463f65c0335dc81b9defde2ba818ca89438cd3f0a5ca

memory/3624-122-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-123-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-121-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/3624-124-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp