Malware Analysis Report

2024-11-16 13:22

Sample ID 240614-ftyd4szerp
Target a81b54183962d320b915383292f0f750_JaffaCakes118
SHA256 f73a49608e21884caf0716fdfe24f2df54c105e30906971a5ecee65da5c9e869
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f73a49608e21884caf0716fdfe24f2df54c105e30906971a5ecee65da5c9e869

Threat Level: Known bad

The file a81b54183962d320b915383292f0f750_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:10

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:10

Reported

2024-06-14 05:13

Platform

win7-20240611-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bbyxzgts = "dvxnsgsmlh.exe" C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icwicyfl = "ddesmzanjwpiaey.exe" C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dajnsgqydykma.exe" C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ogzbujjx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dvxnsgsmlh.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ddesmzanjwpiaey.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ogzbujjx.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzbujjx.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dajnsgqydykma.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dvxnsgsmlh.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ddesmzanjwpiaey.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dajnsgqydykma.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ogzbujjx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogzbujjx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FAB0F913F2E3837D3A4B869A39E6B0FC03884268034BE1CF429E09A3" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB7FF6D22D0D17AD0A98B7D9010" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
N/A N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
N/A N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
N/A N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
N/A N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ogzbujjx.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\dajnsgqydykma.exe N/A
N/A N/A C:\Windows\SysWOW64\ddesmzanjwpiaey.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dvxnsgsmlh.exe
PID 3052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dvxnsgsmlh.exe
PID 3052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dvxnsgsmlh.exe
PID 3052 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dvxnsgsmlh.exe
PID 3052 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ddesmzanjwpiaey.exe
PID 3052 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ddesmzanjwpiaey.exe
PID 3052 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ddesmzanjwpiaey.exe
PID 3052 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ddesmzanjwpiaey.exe
PID 3052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 3052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 3052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 3052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 3052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dajnsgqydykma.exe
PID 3052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dajnsgqydykma.exe
PID 3052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dajnsgqydykma.exe
PID 3052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\dajnsgqydykma.exe
PID 2452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 2452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 2452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 2452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\dvxnsgsmlh.exe C:\Windows\SysWOW64\ogzbujjx.exe
PID 3052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2736 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2736 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2736 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2736 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"

C:\Windows\SysWOW64\dvxnsgsmlh.exe

dvxnsgsmlh.exe

C:\Windows\SysWOW64\ddesmzanjwpiaey.exe

ddesmzanjwpiaey.exe

C:\Windows\SysWOW64\ogzbujjx.exe

ogzbujjx.exe

C:\Windows\SysWOW64\dajnsgqydykma.exe

dajnsgqydykma.exe

C:\Windows\SysWOW64\ogzbujjx.exe

C:\Windows\system32\ogzbujjx.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/3052-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ddesmzanjwpiaey.exe

MD5 1ffd9f5613a6eb41657c522a1fcb870d
SHA1 787b43b2b61b92fd9d78dfe57a9f866047c83d82
SHA256 702b1781fb58d26477678878ac1ece4cc046d5a7fb778731c47a08a2162b06fc
SHA512 49af1f9a17a56b153f9178219588ed7998b706c4eada6d5b6f1eef46462b401912f129675c72efdd06b0b16dc874b87946d0c8e4d4f1272b7b39ea14050d4d00

\Windows\SysWOW64\dvxnsgsmlh.exe

MD5 fb46b48ff584bc4c38f14d4f5421bf2b
SHA1 7f9343c8688ee6387978e84a257097149eb0805c
SHA256 8c2826f6962a313929ba27d38a191edb11d6cfefaefe8582816d88257b65b1c4
SHA512 992ac7a213c7b6432723e3a4f052ca65abe42b2f07615e13daa3b01fe2ffc8acf4aa9a1eb0c90ed22b610ed7e6592a8d37ad86d330cb9186c67869312324c693

\Windows\SysWOW64\ogzbujjx.exe

MD5 fc1937a83b2c273df3c8dcc87ef8006e
SHA1 16e517167ef46e1bb3a4fbcec8368272913889d3
SHA256 0fdcc5b9215834f3abe0d4efeb55c8624cfc6800c49a503594daca4022f751af
SHA512 86e6a5fe28a0d72735d7d38a44245090e147f90a684ab29724e3844285cb7217bbed35b958ba2e06f69a41a4fd2f0c791bb9153b06b849a0ca7c2af27e21889a

C:\Windows\SysWOW64\dajnsgqydykma.exe

MD5 772dbb34b62767db6fa9a8805c37d431
SHA1 003591d11bee7351a1b154cfedfde293e2320f57
SHA256 ea0c33806c2629ce5bf5b6582bfa16393bf9dd8101b1bf82241cc1cb0cac9eee
SHA512 a4f4125114561bd8b4c2e275e725cef7e65780c8baafe2d5ee79b9996ec9ce35730e14695e3f7f50c17f8c11b5b499624df9751b727ab8c4385f82ef78c9d17e

memory/2736-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 c926ba39a643f83c53888eee74b96320
SHA1 2bad2e32ab12d4552ca916d84cf6e0f016cc99dc
SHA256 27ab99c0b4149309d8c3c65446ec6f2b68e176fc7ece2e70f890024f8d3a4735
SHA512 b345b28a88a32e27269c60283852ebf3486897d1be4414508ba1e974d17d57748854a67a02f0bac0f71fc6b3d35847539ad548c316b03f0222318fcfc4b90374

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 d45a2927096c3aed6e76cf12e1cf38d5
SHA1 97c17e71daa2940d319c4dfd6c601403661809de
SHA256 c045a34620f5c885935c72e0b5e0f6e6da8ae76d93895db66782977e88a2218d
SHA512 43fa8d9d7a4625ee9030da24894d7e6e67e3c8e404096046e64de207f86414e14e50f23708b5291709a6e1006f3fae2702aca7add2deb3af7d3ca63be6b663b8

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 a06d6a87cb182aa76c37b2aac97ac856
SHA1 07ed1d4ae2d2b4e4820451974e8fae9513f97f09
SHA256 0473f0c325ec4757c380f7477041041a4e83edf68b0a1145fb5bdf3ba7d3998a
SHA512 c08315e7d422f9aa6c3ea7a99b3fe10890ec7a9f9ec57726eb614adc40db89a0a76c4d19f028aa7176ca2c575b2f253f84bd866d21dc725a070109419eb4324f

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 c1e2993b97c610bd21284e08cd219264
SHA1 cd61d8ddba7cde15f28d307472062098349eda8e
SHA256 5967b6932e899adab7ee834e860d0c3b9d6be26fb46465b8eb7214ec4d1b1649
SHA512 831102ba60d0c18de440ea5009df97671fb38441bbc0567d7bbc55529d1eaa09fd45d1fa3d588ea9409e034d6f5e2c5003a570c5c4d62dd60288e0435e3036c3

memory/2736-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:10

Reported

2024-06-14 05:13

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\rcbjccjowo.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rcbjccjowo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adlrafrv = "rcbjccjowo.exe" C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkupqucg = "ngopygqdgwwunad.exe" C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iyliqdhuvnsov.exe" C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\edixjzfk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\rcbjccjowo.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rcbjccjowo.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ngopygqdgwwunad.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ngopygqdgwwunad.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\edixjzfk.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iyliqdhuvnsov.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\rcbjccjowo.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created C:\Windows\SysWOW64\rcbjccjowo.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\edixjzfk.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iyliqdhuvnsov.exe C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\edixjzfk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\edixjzfk.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FC8E482C85189040D7587D9DBC93E634593266446331D6E9" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7B9C5283556A3F76D370552CAA7CF264D6" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12E47E738EA53C4B9A73293D7CD" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACAF962F29984793B46819A3995B08803884216023CE1BF429A08D5" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BB1FE6822DAD208D0A88B7B9017" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC67A14E7DBC2B9BC7FE1EDE434CE" C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\rcbjccjowo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\rcbjccjowo.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\iyliqdhuvnsov.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\ngopygqdgwwunad.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A
N/A N/A C:\Windows\SysWOW64\edixjzfk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\rcbjccjowo.exe
PID 1152 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\rcbjccjowo.exe
PID 1152 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\rcbjccjowo.exe
PID 1152 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ngopygqdgwwunad.exe
PID 1152 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ngopygqdgwwunad.exe
PID 1152 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\ngopygqdgwwunad.exe
PID 1152 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\edixjzfk.exe
PID 1152 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\edixjzfk.exe
PID 1152 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\edixjzfk.exe
PID 1152 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\iyliqdhuvnsov.exe
PID 1152 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\iyliqdhuvnsov.exe
PID 1152 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Windows\SysWOW64\iyliqdhuvnsov.exe
PID 4084 wrote to memory of 3368 N/A C:\Windows\SysWOW64\rcbjccjowo.exe C:\Windows\SysWOW64\edixjzfk.exe
PID 4084 wrote to memory of 3368 N/A C:\Windows\SysWOW64\rcbjccjowo.exe C:\Windows\SysWOW64\edixjzfk.exe
PID 4084 wrote to memory of 3368 N/A C:\Windows\SysWOW64\rcbjccjowo.exe C:\Windows\SysWOW64\edixjzfk.exe
PID 1152 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1152 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"

C:\Windows\SysWOW64\rcbjccjowo.exe

rcbjccjowo.exe

C:\Windows\SysWOW64\ngopygqdgwwunad.exe

ngopygqdgwwunad.exe

C:\Windows\SysWOW64\edixjzfk.exe

edixjzfk.exe

C:\Windows\SysWOW64\iyliqdhuvnsov.exe

iyliqdhuvnsov.exe

C:\Windows\SysWOW64\edixjzfk.exe

C:\Windows\system32\edixjzfk.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/1152-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ngopygqdgwwunad.exe

MD5 6837e77de8e8a2bf86432ee6e28511c8
SHA1 61e683d9049ec0e8c0850b5d01947d53ef2e5c71
SHA256 008548db3685e1bdd320954feca031526ced02cdf88b00ac1b8775369a96ea8f
SHA512 9f5b6ea14afb2e0532b32312d70fa1e499c454c55f3c027164d9330f62477d60748dbd0d95e465a749c32c2b919c3f5c0f6c68795fb9609345ddf5c2d3e4f568

C:\Windows\SysWOW64\rcbjccjowo.exe

MD5 abfc6f7d5767ebbffb413ff52b08418a
SHA1 33128ca0160cf2666d8f75440eb2544cf816c09d
SHA256 421f9bcd574a9df3862b0f44f39962d1207c9dce0f174fa5b3d72803a17e5af1
SHA512 e3cc05dd425d2e4987a88765c71b3b9580d37912caf69910f9ed1f168cd6ad00bcbac830fe74f26882c8bbd449d7c2725481833255d7d375ac49c1660b787a43

C:\Windows\SysWOW64\edixjzfk.exe

MD5 e0fd02d6537ce46e72bddf928c784233
SHA1 763bc8495c1e13c1542b9e43d281b08612cb6afb
SHA256 350c020fcc96ac3153ff97551a61d7303a9b19109c1610d456a55e8678d7bcf4
SHA512 dea7492c1df090d44453bf9cde7314a376bd8195a50b55fdc5f79314e4b811e4debe191dd34a00240f092aa2bc08f97b49b1fe9ef65de72fbadcef46c2ea4352

C:\Windows\SysWOW64\iyliqdhuvnsov.exe

MD5 7695ffe8c73a0fa20616095fc195a075
SHA1 df8c99fc4a726aae9c680703b9d42bf9732d908a
SHA256 531067e90506abbe561fcc0644bb46c03c555d62243dcaf75835013b6f1a22d1
SHA512 43d4e0f93d8adb09c93cf62a8f9ed43f703081f489bb4ca237916e4cf58f99c1cd490da783351bcab5aef71a321e96452a39f65262acac0ea5227082a99f18ee

memory/3668-37-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-39-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-38-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-40-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-41-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-42-0x00007FF90F790000-0x00007FF90F7A0000-memory.dmp

memory/3668-43-0x00007FF90F790000-0x00007FF90F7A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 42033c511bcc7e1970e3c45cb786f794
SHA1 85fd47e439588b9c25090a0b4e80708c70652403
SHA256 62d541335dd2c855f8cf2c10b799aa5b4462fb9d799282a6a6acf5a747bdbfc6
SHA512 c121ce2191dd3d934458ca89f7c2a9b533081e0675d1deaa703539b61424a3c47b8c2138bda3b31ecfcd05c520a5a23010e4c6d6b0e2d4c629ac76b22b163b26

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 869d04908f5534d31eb5871fa0df5f5f
SHA1 6ee65eb1db8b3ab997189db2050e6c331e72071a
SHA256 0cfa3044411d726d08e9efcabe016fc4495077476916726786982733c0f8c134
SHA512 3bfd77ad8ca7885415b43fc36d43c78614073f8e0a582648c0e580abcee1ca40f22b2ae3528f29c0d8b23f8628fe1bb0767818a132daa455bbedf0ef9658070c

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 263fb6267154a40bc067c78749f78a44
SHA1 63fba2b8850137780f7a90be74e9a63b6ee40f88
SHA256 2e2f66ef0a8f3894bdf8846fc5ad0d98307698fba5fbdbf9eba151e983a58a56
SHA512 85006c4a5620245828bcf339f4f2e24bc8d8061d14ce3e65b540d24aec161e0b4097abf9b616665362d908d2599765503eae2c7ae09b75f996c83ec93072bcba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e05de15160188acef7ccd511140668bc
SHA1 c6ff773ec37e4e3157604ea4c46b335d67dacce4
SHA256 d507bcff08f00b14f8e2353bc13b5c961d7bfcd2965a0498c4cae5c6145a8ed9
SHA512 cc57c9c94705fd6b2eba4a1f7041a2dc59b9d40f9c491c20af8ad063e06d0b1d032f9ae680da271fedd4e732a9cbcac41418dc75725d5ff7240e4c99600a537a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3fa8393a19e5bb7bb2ca21f609cb8f48
SHA1 d21c8bb86fe108f21bed5647656c2af6aa6dd0e5
SHA256 2db368e1aa4316efb897e4cd4a55ef2669ecccac6bb2becccb0cc3fe946e386c
SHA512 b11615dad1648757d755a73da90268e2cf8051262fb3b13537d7b236e9905668093e7e117bb922e7004dd711e21dafb4ceb9de2a797fab8c95a9b7d8b82c3c41

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 60488a002d34c5dac332c54471729600
SHA1 47626fb35dd4d0f0c1ec0b1cd72a7459a36d3e03
SHA256 84ce0379359ae08745acd34c6e6042284ab5ce5c53db748ff941a8caa074e8c7
SHA512 526fa79016f906766bccd5cd59e7280f20978f44b8851050503490f7301fe9452da00e9459789b502ac8ef07079fb4ee47288cb57015b038450a7db265771102

memory/3668-108-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-109-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-110-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

memory/3668-107-0x00007FF9117F0000-0x00007FF911800000-memory.dmp