Malware Analysis Report

2024-11-30 06:36

Sample ID 240612-vv97masfrh
Target a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118
SHA256 2d4aab82b353af456cfc8b2284ebbc8f4330b4e92ffb124a97ee26dbf512506c
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d4aab82b353af456cfc8b2284ebbc8f4330b4e92ffb124a97ee26dbf512506c

Threat Level: Known bad

The file a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Checks processor information in registry

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:19

Reported

2024-06-12 17:22

Platform

win7-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gddqdawjsm.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gddqdawjsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uyhdydpj = "gddqdawjsm.exe" C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxwvyjkt = "ifefzrbmuqfuyvr.exe" C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zmnwjisijcpvt.exe" C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gddqdawjsm.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gvmjbfdf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gddqdawjsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gddqdawjsm.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gvmjbfdf.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zmnwjisijcpvt.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gddqdawjsm.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gvmjbfdf.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zmnwjisijcpvt.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gddqdawjsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gvmjbfdf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\gvmjbfdf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF8A482E826F9132D72E7E96BDE4E141594466476241D690" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\gddqdawjsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02C47E339E853CCBAD432EAD7B9" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gddqdawjsm.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\gvmjbfdf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\SysWOW64\zmnwjisijcpvt.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gddqdawjsm.exe
PID 1200 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gddqdawjsm.exe
PID 1200 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gddqdawjsm.exe
PID 1200 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gddqdawjsm.exe
PID 1200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe
PID 1200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe
PID 1200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe
PID 1200 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe
PID 1200 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 1200 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 1200 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 1200 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 1200 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\zmnwjisijcpvt.exe
PID 1200 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\zmnwjisijcpvt.exe
PID 1200 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\zmnwjisijcpvt.exe
PID 1200 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\zmnwjisijcpvt.exe
PID 2604 wrote to memory of 2588 N/A C:\Windows\SysWOW64\gddqdawjsm.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 2604 wrote to memory of 2588 N/A C:\Windows\SysWOW64\gddqdawjsm.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 2604 wrote to memory of 2588 N/A C:\Windows\SysWOW64\gddqdawjsm.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 2604 wrote to memory of 2588 N/A C:\Windows\SysWOW64\gddqdawjsm.exe C:\Windows\SysWOW64\gvmjbfdf.exe
PID 1200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2412 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2412 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2412 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2412 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe"

C:\Windows\SysWOW64\gddqdawjsm.exe

gddqdawjsm.exe

C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe

ifefzrbmuqfuyvr.exe

C:\Windows\SysWOW64\gvmjbfdf.exe

gvmjbfdf.exe

C:\Windows\SysWOW64\zmnwjisijcpvt.exe

zmnwjisijcpvt.exe

C:\Windows\SysWOW64\gvmjbfdf.exe

C:\Windows\system32\gvmjbfdf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1200-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ifefzrbmuqfuyvr.exe

MD5 ad13709de84e19751b72822a67e3f8d5
SHA1 75b261aa728548720f39925cb401bdfafe1bf8bd
SHA256 d1a8de7e0e2ec0922c755e6ec41d7e336c5da63d8864aa6e1c5261428ed7aefb
SHA512 2040aac0f64153502ea07a94db51d4848e7c0443610ff8d5df4d6fd99eab473d571b53c4da4d9ed0b2f8e28753aad57ec71b2bee7604e8c5e256a50d963836e9

\Windows\SysWOW64\gddqdawjsm.exe

MD5 9e5d289164c23f22b136f4c668499ac4
SHA1 11f878b91f5eca677e01e362cd4aeaea873cf2a1
SHA256 3489c4d25003d36048c4ebfd6a1999eda7b2c0e0b8f0d42954509ab9d4e87ccc
SHA512 b1dcc57ce3bad8c05c9febc137286152f1a0bdc7b73f96c4b0adace7a80315115fe0dea0a94c78a75c27f2d546c2e34e67c5ff2e3d55c396482dbcf653407514

\Windows\SysWOW64\gvmjbfdf.exe

MD5 cc709cea00effa6a8a073e0123ea3621
SHA1 cc6ae5c673045cbc3f50f497c034acfb8a3064db
SHA256 bf04daec2294620c22519ff52dd6d5773605e38dc4af77a2fb91ca0b94e074d8
SHA512 afa6378455d062860e594ac95fce1e4e9f37fc23c41271a66cac0a3257fb8b99becbf7029be9790b159b81b4041e08a4d37a21003f13f0e113a7124fabaf60e3

\Windows\SysWOW64\zmnwjisijcpvt.exe

MD5 461cbeda7f2849ba7a5169d34bdfe0c9
SHA1 ac96a310b0768f643a9ffcf2d45c5526348e2f03
SHA256 e009632da7ca0f72899d81ef755bc11950d70c3464480a94712022a5d47be2c8
SHA512 852ad8076c0d3f09b19a2f189ecaea7b79c8fe03845b3538c78ed89938845f8360339d0eba36a2c266e64137676a5a3146967cba6426ff9f0254eb9eca43e8fb

memory/2412-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 79c16d63c655be66d985699822edd733
SHA1 558b52ad9e6ea3ed5835aa640b6dda09464edd7e
SHA256 293f19834415536e30171d404e5905ecfdcc476b73ee6a199a3970d2e91f24f8
SHA512 f2f92e5e56e71761551a42e2b2c0073e60e7a92eefe7e5b44478efb352885f70606eb812cbc994d30030a05cf987a85926c71359c01b67a264c3f3f210cfbb6e

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 3baed17c0e0e4b3ac3c6f3cf9093785f
SHA1 858a8a2d95c6b3325f2bd4625c986467c6648578
SHA256 103ab9aa492c30afc73ca6bee74931a2a382662e61353393f4c734eeaacf3993
SHA512 4662269430fce247ae0597f445362f4d21f9589d8890883ac4b533e0a9e89f4d96dc4f8c0c81c727b0a5993f7d026a033474d7084d7915e164902f5ce61df635

C:\Users\Admin\Documents\ResolveSave.doc.exe

MD5 109f227713f3ecfd4db8faeefb12f0c7
SHA1 472c4d1552c53c5dc8e929898b0b8c8be35bb32f
SHA256 d8fdaa9b004426b557976b68b5a3fbbff1403140a215d6552af6348449920f64
SHA512 86d3754dc963ed5b05e942d9916ee34bc110e087d686c5ac1b6d93c9767b6f3a9537272f33e25be9a7ecef54b86a41e9dab4106867d97143a2f6d37bcd7410eb

memory/2820-85-0x0000000003970000-0x0000000003980000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:19

Reported

2024-06-12 17:22

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kcblvfgn = "lzuhvgnklascfcy.exe" C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mdelgqgyhpqhx.exe" C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iwhggegu = "ylutikhqwh.exe" C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ylutikhqwh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lzuhvgnklascfcy.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mwxjjett.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mdelgqgyhpqhx.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Windows\SysWOW64\ylutikhqwh.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lzuhvgnklascfcy.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mwxjjett.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mdelgqgyhpqhx.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ylutikhqwh.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File created C:\Windows\SysWOW64\ylutikhqwh.exe C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\mwxjjett.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\mwxjjett.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mwxjjett.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B02D44E639E853C4BAD733EAD4BB" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C0F9D2C82206A3576A2702E2DDF7CF264A8" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF83485C851D9146D65F7D92BCE4E143584766466336D69C" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9F9BEFE13F191840F3B4686EE39E1B0FA028A4212033AE1C8429C09A3" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168B2FE6C21DFD20ED0D28A7E9016" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\ylutikhqwh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60B15E0DAB7B9B97CE2EDE034C7" C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\ylutikhqwh.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\ylutikhqwh.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxjjett.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\lzuhvgnklascfcy.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A
N/A N/A C:\Windows\SysWOW64\mdelgqgyhpqhx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ylutikhqwh.exe
PID 3348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ylutikhqwh.exe
PID 3348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\ylutikhqwh.exe
PID 3348 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\lzuhvgnklascfcy.exe
PID 3348 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\lzuhvgnklascfcy.exe
PID 3348 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\lzuhvgnklascfcy.exe
PID 3348 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\mwxjjett.exe
PID 3348 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\mwxjjett.exe
PID 3348 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\mwxjjett.exe
PID 3348 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\mdelgqgyhpqhx.exe
PID 3348 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\mdelgqgyhpqhx.exe
PID 3348 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Windows\SysWOW64\mdelgqgyhpqhx.exe
PID 952 wrote to memory of 964 N/A C:\Windows\SysWOW64\ylutikhqwh.exe C:\Windows\SysWOW64\mwxjjett.exe
PID 952 wrote to memory of 964 N/A C:\Windows\SysWOW64\ylutikhqwh.exe C:\Windows\SysWOW64\mwxjjett.exe
PID 952 wrote to memory of 964 N/A C:\Windows\SysWOW64\ylutikhqwh.exe C:\Windows\SysWOW64\mwxjjett.exe
PID 3348 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3348 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a178dd89d7408769524dc2c97dd2ec77_JaffaCakes118.exe"

C:\Windows\SysWOW64\ylutikhqwh.exe

ylutikhqwh.exe

C:\Windows\SysWOW64\lzuhvgnklascfcy.exe

lzuhvgnklascfcy.exe

C:\Windows\SysWOW64\mwxjjett.exe

mwxjjett.exe

C:\Windows\SysWOW64\mdelgqgyhpqhx.exe

mdelgqgyhpqhx.exe

C:\Windows\SysWOW64\mwxjjett.exe

C:\Windows\system32\mwxjjett.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3348-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\lzuhvgnklascfcy.exe

MD5 cf990e84da155b0aa21f321f201e5d1a
SHA1 89b723b71c9445c6a27f423815741b7f72255257
SHA256 39818f2143b096e6efbaa22f1a93d688982bffe743885b245096d205ae7443bf
SHA512 ae54a0f2615e0aac5b450381db2b829be4c5cb65adecc6121792529e67f9b8828041ff35b9e6f897038f7f6e50ab046a88da6648c63860ecf6eef2eac8eca4df

C:\Windows\SysWOW64\ylutikhqwh.exe

MD5 f9143b9bb9eb5c71f19b1a6950e9d228
SHA1 ba7f7431680e3f1e944f7c22c5ce2d8d0b377042
SHA256 42da11624580dfeb129ac9246e64ccbb09969a6133e21bb69037f499a0244910
SHA512 3bb0118965cc4b777c5ae0d20b2e9a1b0e44a2a72554db8f120a58b005b83ab6256be5409d063cb4dfa7f4bc0ef8de8b589949be83b37aabde3d3e57060fb15b

C:\Windows\SysWOW64\mwxjjett.exe

MD5 95f88c0f44dbf3e0f621bf158e136151
SHA1 e2ba72cb4b52e3dd660f55619a2f094dfb772bef
SHA256 c12feff4c34c97cebb8496d24fa319f32c56aaef19955e74d76e75d1125b17e1
SHA512 5a620b388e5eb4b74aa403cd5f9a57502975838246982b8a658283975a326161fdffdfe52bf0bc239b80569d37200f910f2f43383fbda0d5ae81cf248793b113

C:\Windows\SysWOW64\mdelgqgyhpqhx.exe

MD5 79a2de4ae37bfcfd4737f26ee10a0254
SHA1 7543ccbbf7542e8ef1c544854dc582350cf59692
SHA256 a95e10e7edd9ccf25d856036edf6394291779173e22fad94fe6c1e1bad34f10b
SHA512 1dfce4074396b6e1fb84e0a456fdae54d62dd680d2d22483f02717433c490b135a3a681f37e4cae6eccf3f889a4e6b9d2e1ca675a7cf901a2229613031501e3c

memory/892-37-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-38-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-39-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-40-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-41-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-42-0x00007FFFB4610000-0x00007FFFB4620000-memory.dmp

memory/892-43-0x00007FFFB4610000-0x00007FFFB4620000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 debc77c4ffa0856e37ff837bd47d7f5f
SHA1 0d6187bee9cf5a8970124b52fe2dc8cfa1f1fd0b
SHA256 6c2709802c44dd009388fe7bd54efce26b8f881c1c7d1654c814a377a4af84f3
SHA512 5da141d96510b88f8184ad3bc082a8931cf0d56c3b54dd3477245f70020b5332d232cb95d0c54b12618c0094de29c9fc30fd0b17144efd19b7be6020875002a6

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 b63c8099c593c438ed1d985aadc524f1
SHA1 eee9960530885d5a8ff7331ab107d53ae1d0de0b
SHA256 360cd52a6bde6f2880828498951e6b9939e7c4d879e45f6cd1220b840de98dd5
SHA512 94a7c025dad8a09bb5a803afd66be2721a10c38e4dc4f51de2df1566af96c86964c9e41ac4f40f869e93618c76c65699f856e2c421c64d489c8501478ff9a211

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 445f5aa84932342ecf5aabcca5d7a7dd
SHA1 f402cf2ee1fed08e1f7af4b5517e886e08a99f6e
SHA256 a6e3667e8cd9f304155aa5905e9014f34f2446a8b970edf7ec8e5d6f61df6044
SHA512 e77f2f1750c5c49423d7fcecbdc8aa6f1feab91bc8c0b2ad288d6d156a57ecb14238de44423fb4e9b22c4107436ec72f181c255819d29cc998713326c04ac871

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4ba04985ef8f0a640f18924cb663f7f7
SHA1 a8146c736b7febb4e41c093972c5b05a6d4da9d3
SHA256 d5a3b39e56fa56fd885f63ced536dcfc5a5ba7bf30e0867c5ba99e4d73fee7ad
SHA512 aec4194d8166c8f0e333991d0f1901a53e5afe46f06ef5d66c2cc4f28b58e535e44c365adaf8aae39159010094e95c93582d81fd1e8590029efb24e058fb2271

C:\Users\Admin\Documents\SetEnable.doc.exe

MD5 8769bdfa3d092b71edf3c1ff400414ec
SHA1 fe5ff3b329b0181cdbd1eabe3dc88235dfba0a7d
SHA256 e39283c1a5fbf5ad5e5d6ee5dba17e1b8a17cbb118a09e4ad56747f84584aa9a
SHA512 74d81d2f98aa79d04590440f278485865f0ad073fde91e2007f54ebe670a195f73826cd7bc791e9771197c9f14d81f3b610042ec67ce0848c2d9017341109669

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a13b4a96b174157d6fb2e242feddddf0
SHA1 dd80d5e5a15b73ff29d96031664f15a06464fe30
SHA256 1836d0c3f03b81a20c15d0539064ce5c58627b829545d0ad6daf71505cb83640
SHA512 b2501f0de45cc01583fb55141194bb602ed4be50951e569daad29531c8641bf14f6aaf144825d11cf39aab1345a69f3e2ebb018833c03f43cee7a601cb359c25

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 bee4d0148cefce54a35982e9c19f31ba
SHA1 5a3c437f4ed90bec0a8f2caab3ca48af47264c5c
SHA256 0990321e01b6985f3ae8f85ad3f0de4bf5a9ead913b1cc055d1c02ba321bec0f
SHA512 25b187ddd4c6e36ea9c685bd1fb8e065aa623eb61308ce579cd430ac8d1928d14a271b560ef2dfa93e82ac5b50d023c095cb15e2958f2fd88716bdcc2c84d3d4

memory/892-125-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-124-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-123-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/892-122-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp