Malware Analysis Report

2024-11-13 14:27

Sample ID 240613-fbwskayarj
Target a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118
SHA256 96b225fb8a884b687523bc93abf93879662f3b8fba963e151fa49718fe41d03a
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96b225fb8a884b687523bc93abf93879662f3b8fba963e151fa49718fe41d03a

Threat Level: Known bad

The file a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Executes dropped EXE

Windows security modification

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:42

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:42

Reported

2024-06-13 04:44

Platform

win7-20240220-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\smebyecwjl.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\smebyecwjl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dlhpbbyu = "smebyecwjl.exe" C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fvwfriop = "iencrmpuduwuxbc.exe" C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bbgssnjykgbhz.exe" C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\smebyecwjl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\smebyecwjl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\smebyecwjl.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\iencrmpuduwuxbc.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bqbxpysf.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bqbxpysf.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bbgssnjykgbhz.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\smebyecwjl.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iencrmpuduwuxbc.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bbgssnjykgbhz.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\smebyecwjl.exe N/A
File created C:\Windows\SysWOW64\smebyecwjl.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bqbxpysf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\smebyecwjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFAB1F963F1E3840B3B35819B3E94B08B03F14216023CE2BD429B08A9" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB9FE6C22D8D272D0D38B099016" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\smebyecwjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\smebyecwjl.exe N/A
N/A N/A C:\Windows\SysWOW64\smebyecwjl.exe N/A
N/A N/A C:\Windows\SysWOW64\smebyecwjl.exe N/A
N/A N/A C:\Windows\SysWOW64\smebyecwjl.exe N/A
N/A N/A C:\Windows\SysWOW64\smebyecwjl.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\bqbxpysf.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A
N/A N/A C:\Windows\SysWOW64\bbgssnjykgbhz.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\smebyecwjl.exe
PID 1640 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\smebyecwjl.exe
PID 1640 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\smebyecwjl.exe
PID 1640 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\smebyecwjl.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\iencrmpuduwuxbc.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\iencrmpuduwuxbc.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\iencrmpuduwuxbc.exe
PID 1640 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\iencrmpuduwuxbc.exe
PID 1640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 1640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 1640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 1640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 1640 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 1640 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 1640 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 1640 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 3052 wrote to memory of 2440 N/A C:\Windows\SysWOW64\smebyecwjl.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 3052 wrote to memory of 2440 N/A C:\Windows\SysWOW64\smebyecwjl.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 3052 wrote to memory of 2440 N/A C:\Windows\SysWOW64\smebyecwjl.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 3052 wrote to memory of 2440 N/A C:\Windows\SysWOW64\smebyecwjl.exe C:\Windows\SysWOW64\bqbxpysf.exe
PID 2224 wrote to memory of 2584 N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2584 N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2584 N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2584 N/A C:\Windows\SysWOW64\iencrmpuduwuxbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 2584 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 2584 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 2584 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bbgssnjykgbhz.exe
PID 1640 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1640 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1640 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1640 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2916 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2916 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2916 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2916 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"

C:\Windows\SysWOW64\smebyecwjl.exe

smebyecwjl.exe

C:\Windows\SysWOW64\iencrmpuduwuxbc.exe

iencrmpuduwuxbc.exe

C:\Windows\SysWOW64\bqbxpysf.exe

bqbxpysf.exe

C:\Windows\SysWOW64\bbgssnjykgbhz.exe

bbgssnjykgbhz.exe

C:\Windows\SysWOW64\bqbxpysf.exe

C:\Windows\system32\bqbxpysf.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bbgssnjykgbhz.exe

C:\Windows\SysWOW64\bbgssnjykgbhz.exe

bbgssnjykgbhz.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1640-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\iencrmpuduwuxbc.exe

MD5 bbe89e395a9b1dffda456ba1fcc6039d
SHA1 abc9d34aa348f7c21e0f4613800eafc752b2b386
SHA256 6a5a1cf3c0e79900251f6186fcc832888cdbc3adedfcc305eb0b9c31fa810061
SHA512 c2fd74b52fe9272da49417604106423fe0d957c0489286f90ea7e71f5f4b2c5c88a2b72c587767858ace572bc476043a7864fb18d12b6807b4b4b9bbbaf30285

\Windows\SysWOW64\smebyecwjl.exe

MD5 dbb1cf82bf81f3ada87e24879625b3ff
SHA1 0d04934e1e71e574526268aae8b63c54c99c2be7
SHA256 d1cf672636117e67cb904e476fd72ca15733617a0a2d3899c2322f275b8f5b4c
SHA512 0e376ffc85f099cf46ca983c6e21b81df1ec31861e844371925deaa5d0dac371dff345cfb8cd321bd224e19264aa84b22e031e059fc3b0ea0555079337524a2b

\Windows\SysWOW64\bqbxpysf.exe

MD5 39c2e71505c91dfb800b06e203b96e1d
SHA1 f1408ba0e956eec7b2bb7f7ac7bc15fad8b2916a
SHA256 651a859bfed21004895f05874c7f00061ffd36ab1855f63995a76db9b92d7725
SHA512 a8fa82b96ba81f5990fd2a1edd9b2523d8c8a6c35044c999c07a5389bf9746ead90d7b3fb8dc2ca7560728758a6f502e29592840053b0c31ea39e9e2eeb31a86

\Windows\SysWOW64\bbgssnjykgbhz.exe

MD5 f6f725bde5a11596804a247197fb80db
SHA1 37318209575f87b7de8ea0379933d963b2848b83
SHA256 d31e685dba7f315a9db570175cc808c6a50195bc9fd3a3b72be87537cbb4955d
SHA512 cf70138de647904ef7e32d772ecf52057bac51980837301c7072ce11c42f4ee67789f1dfadb942e5e0ed63b120fb6e0c21b04765c2416ad1a066a8142770e56f

memory/2916-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 36c05e1fef9c02c78798266062e07b64
SHA1 6d7cb44100c0cd37280713ba5cd16f96f50e8fe3
SHA256 6b0dcb48b591e8b524c3d59cc7a9c0da210669b4c6074c25f30ebb48318e883c
SHA512 9dc6a4371e422fa31c9e8db969908d60414d39d1c77c6b41a33ef7691f62981b33342ac1d921c9bed8aa6d4ec3588e8a38d98ef250e4704d799c21eafd4824cc

memory/2916-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:42

Reported

2024-06-13 04:45

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ryaxjnnv = "gkbxbblfpu.exe" C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhewjryq = "chyirpliscvridn.exe" C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kagcvjkayfinl.exe" C:\Windows\SysWOW64\chyirpliscvridn.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zetofspu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zetofspu.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gkbxbblfpu.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zetofspu.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kagcvjkayfinl.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kagcvjkayfinl.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created C:\Windows\SysWOW64\gkbxbblfpu.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\chyirpliscvridn.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zetofspu.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created C:\Windows\SysWOW64\chyirpliscvridn.exe C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zetofspu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zetofspu.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B12F449539ED53C8B9D133EED4B8" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C3FE1C22D0D27AD0A08A0C9017" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C0A9C5282576A3E76D270532CD87C8E65DC" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABCFE64F190840B3A4186973998B38C028C4215023BE1BE429D08A4" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFFF9482785129045D72D7DE5BD97E6405941674E6330D798" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67915E7DBC7B8CE7FE6EC9737C8" C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\gkbxbblfpu.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\kagcvjkayfinl.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\chyirpliscvridn.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A
N/A N/A C:\Windows\SysWOW64\zetofspu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\gkbxbblfpu.exe
PID 5076 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\gkbxbblfpu.exe
PID 5076 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\gkbxbblfpu.exe
PID 5076 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\chyirpliscvridn.exe
PID 5076 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\chyirpliscvridn.exe
PID 5076 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\chyirpliscvridn.exe
PID 5076 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\zetofspu.exe
PID 5076 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\zetofspu.exe
PID 5076 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\zetofspu.exe
PID 5076 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\kagcvjkayfinl.exe
PID 5076 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\kagcvjkayfinl.exe
PID 5076 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Windows\SysWOW64\kagcvjkayfinl.exe
PID 1888 wrote to memory of 4224 N/A C:\Windows\SysWOW64\gkbxbblfpu.exe C:\Windows\SysWOW64\zetofspu.exe
PID 1888 wrote to memory of 4224 N/A C:\Windows\SysWOW64\gkbxbblfpu.exe C:\Windows\SysWOW64\zetofspu.exe
PID 1888 wrote to memory of 4224 N/A C:\Windows\SysWOW64\gkbxbblfpu.exe C:\Windows\SysWOW64\zetofspu.exe
PID 5076 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 5076 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"

C:\Windows\SysWOW64\gkbxbblfpu.exe

gkbxbblfpu.exe

C:\Windows\SysWOW64\chyirpliscvridn.exe

chyirpliscvridn.exe

C:\Windows\SysWOW64\zetofspu.exe

zetofspu.exe

C:\Windows\SysWOW64\kagcvjkayfinl.exe

kagcvjkayfinl.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\zetofspu.exe

C:\Windows\system32\zetofspu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/5076-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\chyirpliscvridn.exe

MD5 00b855f298e0f772b744a81f02195776
SHA1 a4c7ecd3c46fb973909a13968c2502cb3bb16d7a
SHA256 5101bc7379bfd040d796496974cd8b7f0dc9a79428a93bd7d19114a11298efad
SHA512 14529f4e8d7985b962076a564d208a2912fcb184be4a4b05fb96a19526141ee0f243cd7fd6409f4b86acedd3ca621cd80daf474b9f9113a915baec71de270515

C:\Windows\SysWOW64\gkbxbblfpu.exe

MD5 410fb8b91113eec7e362e71d9133b8a8
SHA1 4a04f040d1808118176a53ba59e1a67174e1183c
SHA256 572e59f5ed2991215dc5c49c2870e5d877d962a9d24d0fae9892a4402c3ddf1f
SHA512 80d1ec4bf3c576a2f0d2b9cc3614a5e0bfae8c88427aa869b0b5a6c30cdb7cb57ff99dcbe4ea0805879aec8500868e5c9f8a6c8266c7988802dbf49aec0c7fea

C:\Windows\SysWOW64\kagcvjkayfinl.exe

MD5 d0498a7e1c5790c226b712220979dca4
SHA1 f9e59a88c6d582c138c908ef1810f39a8c60f9ed
SHA256 a29f19f5544fbb3158ba9301b7d11f8384cd85ace0bc34f3eaec5821e785b8f2
SHA512 5d5c1e5212250ef0cc843d74cbb764886cfc05f56ee2670777f8991a551579cd422ee1389187074d8ce13c1ad5876c2d348afe5d95c4024b5514d7312e36bd5a

C:\Windows\SysWOW64\zetofspu.exe

MD5 be9298a812c66637a2139c9cf434cd55
SHA1 084b6dd49f37cb159482ce7794e9191385ef0bf9
SHA256 6574432d01c0e63dfec7f7b228576accb58d310373b8322a9db1c02d7511bec1
SHA512 7fdd1bc061208b9202be5d811dfc3b7ce1ed88e1a6ac92c7175cb2c9163018ebf547dc7010cf7803d22993b00777a623323f40283ca92e3b94a97662bdce7642

memory/1284-37-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-38-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-39-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-40-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-41-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-42-0x00007FFED4BE0000-0x00007FFED4BF0000-memory.dmp

memory/1284-43-0x00007FFED4BE0000-0x00007FFED4BF0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 3590a4ffa2f0eb2d3bbe65e88b044589
SHA1 5325523da1847c9455c2e5160a128b8939674af4
SHA256 6f9b7ed96fbc50c833161b4c23a8226f9706d3772b8332073ec078badfc32fc3
SHA512 1b4efee9e8a3c6be7bd7fa3f4c060fc16aedd148a53521bb89c77f61cb62ed98a9931f63ea9bb2460ba3b4080926f093d431a9e49ee81dc5cc7dcabeaaab0a63

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 8e6e5bc910b9911bd4d38b06f6ba19b6
SHA1 aa0d589796ac6dfa3969930f35c1aaac97ad317d
SHA256 989e457fd7c88c88392d5d40ff8e9c62657f2d889117a2c41fdb21c9469f5f71
SHA512 5b6c82fb3cff042454d4fc460b0917105735c1b2c4c02dcb4ebd889f80ffb73723a897da4f8169a8a59ed79430da7ef21311ef55c052db637a2c9c382d8aa176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e9c4bc67e190134c3a96709ba0be93cc
SHA1 422ec2f478b9ec6f798d92c86bc25708976baba4
SHA256 3acfe6b16d12349232d290eeeb40a800015a14a27c6a431b6ff9f3c71481534f
SHA512 0500c74b18dc38f40fddac67aed69310d75562dc967ee22ad67f6e87b5122852c205d94df3739196d92414dc55d1cf0253f057ba87950221fb799d7c7a2b2b2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 d2aa39f3e8d9eccc12128c53e4c428a4
SHA1 8d6cf827cf5e62dc31a468c860eb92a5573c0294
SHA256 b3ba80098f3eb6b6c597e6c1c525b7eff5e0df9db5de510713786882b587c41e
SHA512 d28f625e9639bcb835fa2174e226a80879206a3fbf162ca775290d3b7075aa5bb2444f752c08a3528c0d5f559c6bd6ff4883e4f3b9c4cefe4421d26de3d78d50

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 1a0bd2069e74c29c2fd9ce81736debae
SHA1 ae914d28c721ca21640f468cac7aab73cb3c7d60
SHA256 7f523d9a4c6a7d850e6c29101930208b214b43f2bdd63f3daab816b2c8b04075
SHA512 0def22fbad98e6aa99fdc743f5f38b49b9c1f9e2eb918ab2cfd511140ce9fe578aec4dcda2cb02d2b5978e9362d691432766aab7b749fefe85cc2062583f170a

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 bde0b944d12eca94441e1754bee52f1d
SHA1 6fa50b00da72e3571b32eeb6dcdbe17e763dbf98
SHA256 673699d5083b76afc6dd4a609e1933941e7ed04f0ddc34b0bc403b057310a854
SHA512 567de4439869f4f928845f6cceb760c6e91006f1eb9daba271d05d7f8b727edb5b290b343fbbc3c07fd7d3ca14c8e36c7063864057180294e7a1031494a1c956

memory/1284-111-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-112-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-110-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

memory/1284-113-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp