Malware Analysis Report

2024-07-11 07:36

Sample ID 240622-e61vbsybjh
Target 01468a69ca8676b51a357676e0856c88_JaffaCakes118
SHA256 fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0

Threat Level: Known bad

The file 01468a69ca8676b51a357676e0856c88_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Executes dropped EXE

Loads dropped DLL

Drops startup file

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:33

Reported

2024-06-22 04:36

Platform

win7-20240419-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 38004600390037003900380034004600390039003000440039003100360035000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1732 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1732 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1732 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1732 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Users\Admin\AppData\Local\Temp\rudiment.exe

C:\Users\Admin\AppData\Local\Temp\rudiment.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:53 tcp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp

Files

memory/2208-0-0x0000000000C90000-0x0000000000E93000-memory.dmp

memory/2208-1-0x0000000000C90000-0x0000000000E93000-memory.dmp

memory/1732-5-0x000000002FA81000-0x000000002FA82000-memory.dmp

memory/1732-6-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1732-7-0x00000000717FD000-0x0000000071808000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rudiment.exe

MD5 b5bdaba69689e8be57ce78bb6845e4f0
SHA1 573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a
SHA256 1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad
SHA512 e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

C:\Users\Admin\AppData\Local\Temp\psychiatry.dat

MD5 09a4e70560c2b595932a4582fd84bbf8
SHA1 8719221b5159fd47ce655fc01ec2d688ac750fb9
SHA256 ba5c35f51b5ebcb41dec480451c58cfa35fb86d465dc942cb55b0b16174c0772
SHA512 89ca096cdd1146fb317326bd9c4a9dee50b2d8bd187799073ca10e539d62b384bfaa7fb5f918c05c9347c4d9d3a8d86a4229c0c4261ca3ac0c9affb257d91b9a

\Users\Admin\AppData\Local\Temp\vsodscpl.dll

MD5 8e1e29319401aa9e83be7a298b35743e
SHA1 c82d8a9dd5f00559f8a6a12bd5444c105fc81744
SHA256 42c10c024b48b59ab485cfd570875b4e88af72847acc85f5aaaa83bc8437d431
SHA512 1804d936cdb5ba8d3d62815ce0d2396e4bf8f53d004771adabacd63a6728a8ff8058215d420c28c702f406b352522ee35c7e8cc832b994dd1cb710a1a1090751

memory/2828-20-0x00000000003A0000-0x00000000003CE000-memory.dmp

memory/2828-21-0x0000000001DE0000-0x0000000001EE0000-memory.dmp

memory/2556-26-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2556-25-0x00000000000A0000-0x00000000000BB000-memory.dmp

memory/2556-22-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2556-31-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-32-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-47-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-46-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-44-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-43-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2828-34-0x00000000003A0000-0x00000000003CE000-memory.dmp

memory/2556-45-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-48-0x0000000000200000-0x000000000022E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2556-58-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2496-64-0x0000000000780000-0x00000000007AE000-memory.dmp

memory/2496-66-0x0000000000780000-0x00000000007AE000-memory.dmp

memory/2496-67-0x0000000000780000-0x00000000007AE000-memory.dmp

memory/2496-65-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2556-69-0x0000000000200000-0x000000000022E000-memory.dmp

memory/1732-71-0x00000000717FD000-0x0000000071808000-memory.dmp

memory/2556-76-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-85-0x0000000000200000-0x000000000022E000-memory.dmp

memory/2556-86-0x0000000000200000-0x000000000022E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:33

Reported

2024-06-22 04:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 44003100390045003200320044003200440030004400360045004100420038000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\MJ C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 5100 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 5100 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rudiment.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3540 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\rudiment.exe C:\Windows\SysWOW64\svchost.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3188 wrote to memory of 2304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Users\Admin\AppData\Local\Temp\rudiment.exe

C:\Users\Admin\AppData\Local\Temp\rudiment.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 255.255.255.255:53 nttdata.otzo.com udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
N/A 255.255.255.255:53 nttdata.otzo.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:53 tcp
N/A 255.255.255.255:53 nttdata.otzo.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 255.255.255.255:53 nttdata.otzo.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
N/A 255.255.255.255:53 nttdata.otzo.com udp
US 8.8.8.8:53 nttdata.otzo.com udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 255.255.255.255:53 nttdata.otzo.com udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:53 tcp
N/A 127.0.0.1:53 tcp

Files

memory/5100-0-0x00000000004A0000-0x00000000006A3000-memory.dmp

memory/5100-1-0x00000000004A0000-0x00000000006A3000-memory.dmp

memory/3372-8-0x00007FF980350000-0x00007FF980360000-memory.dmp

memory/3372-7-0x00007FF980350000-0x00007FF980360000-memory.dmp

memory/3372-9-0x00007FF980350000-0x00007FF980360000-memory.dmp

memory/3372-6-0x00007FF980350000-0x00007FF980360000-memory.dmp

memory/3372-5-0x00007FF980350000-0x00007FF980360000-memory.dmp

memory/3372-10-0x00007FF9C036D000-0x00007FF9C036E000-memory.dmp

memory/3372-11-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-12-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-13-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-15-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-14-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-16-0x00007FF97DFF0000-0x00007FF97E000000-memory.dmp

memory/3372-18-0x00007FF97DFF0000-0x00007FF97E000000-memory.dmp

memory/3372-17-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-21-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-20-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-22-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-23-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3372-19-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rudiment.exe

MD5 b5bdaba69689e8be57ce78bb6845e4f0
SHA1 573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a
SHA256 1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad
SHA512 e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL

MD5 c6110df133b583488587974c5485bfbe
SHA1 25882d89fe1c65893e3a328e3676da614e261509
SHA256 6dba4f30583ce37d537ed06623de941ba5de22197504664ff1fad89f8a372520
SHA512 9b2ebb8172ef93d667848136e0a67cee6a3c6cfb2e66533b98acc2ae4cad38388e422c8d5c616a5a4f9f05325e228c9623d4f16db59f8e4a287c068f91bdb38a

C:\Users\Admin\AppData\Local\Temp\psychiatry.dat

MD5 654c5fe3e9e5134f69a683ba17d21512
SHA1 8a5fe839f2ff04369928a64745d0d975c72937a2
SHA256 5080d2c9a0a5bd2de0a00386dae99fa63a3ebc18299cc01114b4966c16eaae7e
SHA512 e881bd59267b8947235fafafad3229967db02b92aa92c12eb3acf34cf82932abac24ff709a46e8b8d2ae823a25cf32b3811b955ea5259d4b4c69a7781f9b4e66

memory/3540-39-0x00000000026D0000-0x00000000026FE000-memory.dmp

memory/3188-41-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3188-54-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3540-56-0x00000000026D0000-0x00000000026FE000-memory.dmp

memory/3188-55-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3188-52-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3188-51-0x0000000001790000-0x0000000001791000-memory.dmp

memory/3188-53-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3188-40-0x00000000017A0000-0x00000000017CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2304-66-0x0000000001220000-0x000000000124E000-memory.dmp

memory/2304-69-0x0000000001220000-0x000000000124E000-memory.dmp

memory/2304-68-0x0000000001220000-0x000000000124E000-memory.dmp

memory/2304-67-0x0000000001010000-0x0000000001011000-memory.dmp

memory/3372-70-0x000002744E5B0000-0x000002744E5DC000-memory.dmp

memory/3188-299-0x00000000017A0000-0x00000000017CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD9522.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3188-552-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3372-554-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

memory/3188-574-0x00000000017A0000-0x00000000017CE000-memory.dmp

memory/3188-575-0x00000000017A0000-0x00000000017CE000-memory.dmp