Malware Analysis Report

2024-11-13 14:27

Sample ID 240613-e6rawsvaja
Target a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118
SHA256 7a1fef7798f1bd2b7918626286e4a77c51674e9d4fbadf35951b96da6871129e
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a1fef7798f1bd2b7918626286e4a77c51674e9d4fbadf35951b96da6871129e

Threat Level: Known bad

The file a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Checks computer location settings

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:33

Reported

2024-06-13 04:36

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qncqioku = "ppvujbrfvi.exe" C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zqgebzop = "blybfzebdmfwdqi.exe" C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pzpoowuqldmrj.exe" C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qzjoemzj.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ppvujbrfvi.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ppvujbrfvi.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\blybfzebdmfwdqi.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\blybfzebdmfwdqi.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qzjoemzj.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pzpoowuqldmrj.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
File opened for modification C:\Windows\SysWOW64\qzjoemzj.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pzpoowuqldmrj.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qzjoemzj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qzjoemzj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BC2FE6722D9D279D0A18A0B9016" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB8FE64F1E0830F3A4B869E3993B08B02F94315023EE1CA459A08A3" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D789D5682236A3676D277242CD87CF164AB" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC70915E5DABEB8BD7F97ED9137C9" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\blybfzebdmfwdqi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\ppvujbrfvi.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\pzpoowuqldmrj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\SysWOW64\qzjoemzj.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\ppvujbrfvi.exe
PID 2436 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\ppvujbrfvi.exe
PID 2436 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\ppvujbrfvi.exe
PID 2436 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\ppvujbrfvi.exe
PID 2436 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\blybfzebdmfwdqi.exe
PID 2436 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\blybfzebdmfwdqi.exe
PID 2436 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\blybfzebdmfwdqi.exe
PID 2436 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\blybfzebdmfwdqi.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2436 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\pzpoowuqldmrj.exe
PID 2436 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\pzpoowuqldmrj.exe
PID 2436 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\pzpoowuqldmrj.exe
PID 2436 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\pzpoowuqldmrj.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ppvujbrfvi.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ppvujbrfvi.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ppvujbrfvi.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ppvujbrfvi.exe C:\Windows\SysWOW64\qzjoemzj.exe
PID 2436 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2436 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2436 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2436 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2560 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2560 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2560 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2560 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"

C:\Windows\SysWOW64\ppvujbrfvi.exe

ppvujbrfvi.exe

C:\Windows\SysWOW64\blybfzebdmfwdqi.exe

blybfzebdmfwdqi.exe

C:\Windows\SysWOW64\qzjoemzj.exe

qzjoemzj.exe

C:\Windows\SysWOW64\pzpoowuqldmrj.exe

pzpoowuqldmrj.exe

C:\Windows\SysWOW64\qzjoemzj.exe

C:\Windows\system32\qzjoemzj.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2436-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\blybfzebdmfwdqi.exe

MD5 409870ab39b67b778c6b09f98a803f2d
SHA1 b9749be8d70c286b26c87cb249e093fdd97ba38b
SHA256 998b15b6b8bef6d00a368ff99228b6f9daa8b86ffc67c94eb4fb99b8573c087b
SHA512 97ae3b6166f7594f5d6e0381314d4e9ba9124cc040a4db0fcaa5d6b42ef3dbe835eb22cb5582bef483a80e93e4108e3702b0b146ca94f033e73d4d40970d4187

\Windows\SysWOW64\ppvujbrfvi.exe

MD5 75723c59cd00b4a389649180831afef8
SHA1 5d3222ddfbb5f8b724ce6f9e87af948fcaf3278b
SHA256 ab626f9a3458fe215f837862b5ca3b310853609a563f12c6007dbd671dbf5caa
SHA512 88737762d7e1b7be301d0acf407db55ea91a61b5a3cd0a1c97e49964c4889984d3c90ea3a2a34568acc4df7441dbcbc37355163c43d8fa268347872788b76beb

\Windows\SysWOW64\qzjoemzj.exe

MD5 001a3f120a03c5c3a4850715abeb5541
SHA1 c7c124728a212efee6df3734fba2419b3298bdef
SHA256 d32dd78c60fc0be6915c8ef115c08510a560d3fb774aadf27d7c0386b957d3e8
SHA512 f7ed196fbcfa73ae5dc7b71ec91a8b5b6d9683faeb1980cfec2cbe332a22d17898bc98d06a869b38bbb145c78359c250bd0c8f52bd10d90ddfaefe64f3ed325c

C:\Windows\SysWOW64\pzpoowuqldmrj.exe

MD5 564654b69b18d76d2aab10fe67813c37
SHA1 b37b2721ac7bff00cd671ddfe0114822e9eb6a30
SHA256 d2d8da2369ee09f37a1b6d43c5dfdb2399ed118fa9ff5d984882ae898ede9972
SHA512 ea68259f2cac3d374f62d3765c6625590b04fb8162757a5c90e2e501533a4845be15abc07a17f8ae54fa01618ca8534725e4d8c31605c0459e440055bb7fb98c

memory/2560-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 fe8f384b58d925c2f4850ead8a552e85
SHA1 1916a120887360bc76e370c38e82baf3c4ca16eb
SHA256 d2317d53ee612fcaac008e6b06c86312ccbd4aa4316cdd49c47a9dd96de91200
SHA512 b52ef067760efebb85f6ed56800ea0381d6ebd0ff9bea023c6c1957659eb588bd6f73be0b9eaded6c9d6f1de9c6f48b04ab00394847fb4af96dcf165b6118d85

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 dc5ef7e60ed56daede20881d80aa3e1e
SHA1 23b7076713eacddc2268ae97353aedfead0a2d52
SHA256 46e50b8c6b014e6fa2892fc5ffeefb6d4647ee1cd299a5295b6af958fd8875d2
SHA512 de546965ddc1d10d7ee55d1252a0b530449c4b360a36013fc5c003ab750056ffba8282ae2a695a721b798a79b2003e890b8c224b50f9ace06a8ce5edb4a66950

memory/1768-85-0x0000000003930000-0x0000000003940000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:33

Reported

2024-06-13 04:36

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\youhviwmvu.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\youhviwmvu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfptihbv = "youhviwmvu.exe" C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycywreaw = "bolcjqqdetygepm.exe" C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "awxxtfcbqaqkx.exe" C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\youhviwmvu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\youhviwmvu.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\youhviwmvu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bolcjqqdetygepm.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\awxxtfcbqaqkx.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Windows\SysWOW64\gyxqrrxh.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\youhviwmvu.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Windows\SysWOW64\awxxtfcbqaqkx.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\youhviwmvu.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\youhviwmvu.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bolcjqqdetygepm.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gyxqrrxh.exe C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\InvokeSend.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\InvokeSend.nal C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\InvokeSend.nal C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\gyxqrrxh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\gyxqrrxh.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B05844E638E352CCB9D0339DD7CE" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\youhviwmvu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABBF961F1E3837A3A40819A3995B08A03F04261033EE1CB459908A7" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCFB4F288219903CD7217D96BDEFE633594666466335D69C" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C779D2C83576D4376A077212CAC7CF165DC" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C60B1490DBC7B9BD7CE1ED9F37CE" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\youhviwmvu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\youhviwmvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB3FF1F22DCD279D0A68A7B9017" C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\youhviwmvu.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\youhviwmvu.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\bolcjqqdetygepm.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\awxxtfcbqaqkx.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A
N/A N/A C:\Windows\SysWOW64\gyxqrrxh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\youhviwmvu.exe
PID 3112 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\youhviwmvu.exe
PID 3112 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\youhviwmvu.exe
PID 3112 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\bolcjqqdetygepm.exe
PID 3112 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\bolcjqqdetygepm.exe
PID 3112 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\bolcjqqdetygepm.exe
PID 3112 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\gyxqrrxh.exe
PID 3112 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\gyxqrrxh.exe
PID 3112 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\gyxqrrxh.exe
PID 3112 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\awxxtfcbqaqkx.exe
PID 3112 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\awxxtfcbqaqkx.exe
PID 3112 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Windows\SysWOW64\awxxtfcbqaqkx.exe
PID 3112 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3112 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1064 wrote to memory of 3000 N/A C:\Windows\SysWOW64\youhviwmvu.exe C:\Windows\SysWOW64\gyxqrrxh.exe
PID 1064 wrote to memory of 3000 N/A C:\Windows\SysWOW64\youhviwmvu.exe C:\Windows\SysWOW64\gyxqrrxh.exe
PID 1064 wrote to memory of 3000 N/A C:\Windows\SysWOW64\youhviwmvu.exe C:\Windows\SysWOW64\gyxqrrxh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"

C:\Windows\SysWOW64\youhviwmvu.exe

youhviwmvu.exe

C:\Windows\SysWOW64\bolcjqqdetygepm.exe

bolcjqqdetygepm.exe

C:\Windows\SysWOW64\gyxqrrxh.exe

gyxqrrxh.exe

C:\Windows\SysWOW64\awxxtfcbqaqkx.exe

awxxtfcbqaqkx.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\gyxqrrxh.exe

C:\Windows\system32\gyxqrrxh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 8.8.8.8:53 roaming.officeapps.live.com udp

Files

memory/3112-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\bolcjqqdetygepm.exe

MD5 2aa715a33d34db9b08d3fad41b20daa6
SHA1 b43b4e7b78b04168bb8bdd8fec68cc9514aab9de
SHA256 4c643fc6106a02155c1d879c7246174038a9780371cc2076300898da07f420b3
SHA512 436535f31e8ea6289673146f0c32bcc148ce9d8ac02f9b69672ce7eec7d30bda90bfb541f1dd833eaf573246b47592ca475cf263056f8383eec363f1229a524c

C:\Windows\SysWOW64\youhviwmvu.exe

MD5 a397301c5a421d3110e557ee12dae517
SHA1 5b1b27ed0e299a395d77a2e6776ccc42b2bd160e
SHA256 3dad4ea15b7fffec42af0a4c06a164f02277df6dc7d0f00928f23bf7e44b47af
SHA512 82000f522eec7bf9d6b668fb049267920a7ac7d56f3d9de699a47e239f8b115b52be3f1fdbb39a29a8268f98810fc499853f681726c1143fc0959c849a912754

C:\Windows\SysWOW64\awxxtfcbqaqkx.exe

MD5 2e7488902cb8b32a48753b8e2a3e7491
SHA1 96a5cf3ee30d97294e316d23fdb62bfc94eb39db
SHA256 ef59cf30fc287d2bc2cfc1b6b71396a3d0b5a025b1aefa168b998ad9a6ccbf32
SHA512 e59189bce0d5365651d8e82efe792cb263cc41da8e98cd13a12ae3c264aef09b7c1bd8cf2ca110ef98b85357f8459d8fb64c3b06111bd4a78d705ba5dd538f43

C:\Windows\SysWOW64\gyxqrrxh.exe

MD5 153bb693bb70257c1d5215b7902253f3
SHA1 2da9ffcd69a8bd625af996f372f93a8336bd50d8
SHA256 3517620eaec1639b5fdcee18e45b54dfe5750e432d0215235780f55231592bc2
SHA512 743aedbf0d5fdc924a7a84d3f7455cdbafc77b6b0eac85428f9c5dceab7c17dde7105381be377e8082312af4e4fc2ba9a7634514df280368aaf6ee5e46b2c79c

memory/4968-35-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-36-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-37-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-38-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-39-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-40-0x00007FFCA7390000-0x00007FFCA73A0000-memory.dmp

memory/4968-41-0x00007FFCA7390000-0x00007FFCA73A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\InvokeSend.doc.exe

MD5 680cf6820b893368ddbbae6f888bb556
SHA1 232e864d29f5f69d1fa9eb57e5e11d80ea560cbe
SHA256 79b77a0419f1b5bf206184dced1f0af09473b507ef5f94dc837aa10cb4e4cd01
SHA512 1c84172e2e3812b4b6008f01cba6af339aaf6d456153971f1473a2c102c4ac2c7712a2f639b4e0690527bdaf5118bf85427c325668fa66ee458a4b420c6014e6

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 142ee775e95ade3b0506ac99a344e1e6
SHA1 7cab6589cd4bf30943e2ae53caee3111d3dac338
SHA256 8339bf352e207501738dd211206f8d50fb5b4bec666c87899f1a0b8b5b3c2260
SHA512 af93fb8f7d0a1c8cb1833b801ee4c78b52f41930dcd8b9e6e18f21162c5dc44e79d755254145a45728abe0f5f4e8b1f4c2a2641dcce3a766aee428eccbe491e0

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 8e88428409eee8b27193e509f7565fa1
SHA1 ee1a6145f6e1aa29270b57c3f9ba2506c05ccce6
SHA256 c1f53c1138238dc6999dc8990db0e4a13d079a33b4acea3b1701791e9f7c25e6
SHA512 1b050294d751d1bc0bd63f92d74570e68728fe55b8abc7b6c788a27c6ab8c7bec498717304ed8aadd4be8c755fd06c7003a3a2e8834ff371fca4ffacb2f315ea

C:\Users\Admin\Desktop\DismountResolve.doc.exe

MD5 9b93d392101a800cae76595335269823
SHA1 1679ee0b2e04c3e0c542fd318178ec7e0468a503
SHA256 57455b02ca52acb226eb68fb43e2e580dd236512c7a423c3a62c24d0c3486474
SHA512 537fbc414193ced82b81327379a259a1e6cbd61b209d0e523e4f38038f33825cec3bd10d988eeec25dea96f8f221ead947271617fdfb605140a570642a643e48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ae1e9a33488b618ca6c3d26627fdba8a
SHA1 455e344e3f9a9d004fcbcf748ea4776dada5278a
SHA256 01bd815591c48ec786cadccf446df8b948e8504fdbfc477118901cc49a388cd5
SHA512 fecc08de32bc22bbcac10ee3089cf041b4d7cdef06617294bad485a7d10c673d40863006b2b044250056eed93d8a80d6ccd2d6c07ba62bbca96a080d6722e5ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1af8ee46bd5b3ad794faf4a88ba9215d
SHA1 2791143bde7d7ede72cf4fd771dccf112fd1aea0
SHA256 d2560b91ee6d8cd16760517bef6194794e84493d75c41984f222f266e1d13d24
SHA512 f61a2e3bd6d5ea148bf4b647c12c08465ca3996a3ee3d6df47d57eb145dbd68f323f05fed1b8c9a072845ee74be67a1c28766fd0a9357e5336c92abd3c702ac2

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d05f3760517def08d9f25a8b0582b414
SHA1 a5b546df6a0a419f160d579d0486e43d36fb2b43
SHA256 5fbf008a0fb695f883526e3045a0003ddba1c135a2c698a00b12585348ebe742
SHA512 8c1da98ef91286b939f004dfee67578183c9a88968f7c0d07e90e9961a761593fdf87a7ada9706338950df76b4a6f779fc4767f867eb0f78865ba94e58618707

memory/4968-123-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-126-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-125-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

memory/4968-124-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp