Malware Analysis Report

2024-10-19 01:52

Sample ID 240831-vx4gvswclf
Target cd40e2ae400d9246093680878435e4c0_JaffaCakes118
SHA256 4bf9bf8d633e92cacd30456ef29f97945406ff53002d593fbb41ff6850e99c64
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bf9bf8d633e92cacd30456ef29f97945406ff53002d593fbb41ff6850e99c64

Threat Level: Known bad

The file cd40e2ae400d9246093680878435e4c0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Windows security bypass

Tofsee

Modifies Windows Firewall

Creates new service(s)

Sets service image path in registry

Checks computer location settings

Deletes itself

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 17:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 17:23

Reported

2024-08-31 17:25

Platform

win7-20240704-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kgaawooc = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kgaawooc\ImagePath = "C:\\Windows\\SysWOW64\\kgaawooc\\geommclb.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2656 set thread context of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\kgaawooc\geommclb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2804 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2804 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2804 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2804 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2656 wrote to memory of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 916 N/A C:\Windows\SysWOW64\kgaawooc\geommclb.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kgaawooc\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\geommclb.exe" C:\Windows\SysWOW64\kgaawooc\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create kgaawooc binPath= "C:\Windows\SysWOW64\kgaawooc\geommclb.exe /d\"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description kgaawooc "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start kgaawooc

C:\Windows\SysWOW64\kgaawooc\geommclb.exe

C:\Windows\SysWOW64\kgaawooc\geommclb.exe /d"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
NL 20.76.201.171:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.8.49:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.204.79:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 172.217.218.26:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp

Files

memory/2804-1-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/2804-2-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2804-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\geommclb.exe

MD5 a767e30e02b18951973a55cf22763f79
SHA1 8f2f55ef51b9a243f989cf785f9e306e2870c8c0
SHA256 8c1b360a40cd8b644cbbf94c0ab63712ac49396063bfa81cd4eca1449c9f9912
SHA512 aeba8cd5459703f6fe676006ae6ce602b3410068322ca011c184f7aac9124e62994baea5662d4fca67365ba20af38b87d908f8a7c6ba75b1740e57c9436667a5

memory/2804-10-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2804-9-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2804-8-0x0000000000400000-0x0000000000459000-memory.dmp

memory/916-11-0x0000000000080000-0x0000000000095000-memory.dmp

memory/916-14-0x0000000000080000-0x0000000000095000-memory.dmp

memory/916-16-0x0000000000080000-0x0000000000095000-memory.dmp

memory/916-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-17-0x0000000000400000-0x0000000000459000-memory.dmp

memory/916-18-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-31 17:23

Reported

2024-08-31 17:25

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gbevfaax\ImagePath = "C:\\Windows\\SysWOW64\\gbevfaax\\creamleq.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2216 set thread context of 2044 N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\gbevfaax\creamleq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2712 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2712 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2216 wrote to memory of 2044 N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2044 N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2044 N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2044 N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2044 N/A C:\Windows\SysWOW64\gbevfaax\creamleq.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gbevfaax\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\creamleq.exe" C:\Windows\SysWOW64\gbevfaax\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create gbevfaax binPath= "C:\Windows\SysWOW64\gbevfaax\creamleq.exe /d\"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description gbevfaax "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start gbevfaax

C:\Windows\SysWOW64\gbevfaax\creamleq.exe

C:\Windows\SysWOW64\gbevfaax\creamleq.exe /d"C:\Users\Admin\AppData\Local\Temp\cd40e2ae400d9246093680878435e4c0_JaffaCakes118.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1032

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 532

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.231.239.246:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 246.239.231.20.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 67.195.204.79:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 172.217.218.27:25 smtp.google.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp

Files

memory/2712-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2712-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

memory/2712-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\creamleq.exe

MD5 fb6f8f7a0b5be9f61727bb6a02bb3bb0
SHA1 900bb0daed8c2a587662410771b05c5ade4490d4
SHA256 f83a77ea067598bb36717175c73de4956d7e83ea411338c50580b69c61a11a84
SHA512 2f8d7576be1beb7f7557feb781c4b9bbce653715d6df91a387baa02a8f8521e871aa5bbf0288007c8959e6b2abea999295d3ff564ca1b704910762e478518194

memory/2712-10-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2712-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

memory/2712-8-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2216-12-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2216-11-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2216-13-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2044-14-0x0000000000340000-0x0000000000355000-memory.dmp

memory/2044-16-0x0000000000340000-0x0000000000355000-memory.dmp

memory/2044-17-0x0000000000340000-0x0000000000355000-memory.dmp

memory/2216-19-0x0000000000400000-0x0000000000459000-memory.dmp