Malware Analysis Report

2025-04-13 10:31

Sample ID 241229-m95axszpbv
Target JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d
SHA256 dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d

Threat Level: Known bad

The file JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Tofsee

Windows security bypass

Tofsee family

Sets service image path in registry

Creates new service(s)

Modifies Windows Firewall

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-29 11:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-29 11:10

Reported

2024-12-29 11:13

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe"

Signatures

Tofsee

trojan tofsee

Tofsee family

tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hrzhzfvx = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hrzhzfvx\ImagePath = "C:\\Windows\\SysWOW64\\hrzhzfvx\\hvobhbve.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2708 set thread context of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 2328 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 2328 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 2328 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 2328 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2656 N/A C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hrzhzfvx\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hvobhbve.exe" C:\Windows\SysWOW64\hrzhzfvx\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create hrzhzfvx binPath= "C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description hrzhzfvx "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start hrzhzfvx

C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe

C:\Windows\SysWOW64\hrzhzfvx\hvobhbve.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.231.239.246:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.40.26:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.204.79:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.27.27:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp

Files

memory/2328-1-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2328-2-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2328-3-0x0000000000400000-0x00000000004D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hvobhbve.exe

MD5 f470f511bc63953a3b00c18309b5f328
SHA1 7f740e291cd76357b4c65ba1714d2e78cad64bb1
SHA256 8120989240a09a806551255726be6a3d3a13e4486b09c5ccbdacf09a7658bf4c
SHA512 705b0c3f5fb746d00c6107208dd23fb758b80d732e4ae93795f30fa78de041aa64eb18b19c39f3ef60de478a92aeea439adfc54d0a8ab10281f5bd9460d41e1b

memory/2328-9-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2328-8-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/2656-11-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2708-16-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/2656-17-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2656-14-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2656-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-18-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-29 11:10

Reported

2024-12-29 11:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe"

Signatures

Tofsee

trojan tofsee

Tofsee family

tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\miqtbjpz\ImagePath = "C:\\Windows\\SysWOW64\\miqtbjpz\\ierdlopw.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4356 set thread context of 2808 N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 460 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\sc.exe
PID 460 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 460 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 460 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe C:\Windows\SysWOW64\netsh.exe
PID 4356 wrote to memory of 2808 N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe C:\Windows\SysWOW64\svchost.exe
PID 4356 wrote to memory of 2808 N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe C:\Windows\SysWOW64\svchost.exe
PID 4356 wrote to memory of 2808 N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe C:\Windows\SysWOW64\svchost.exe
PID 4356 wrote to memory of 2808 N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe C:\Windows\SysWOW64\svchost.exe
PID 4356 wrote to memory of 2808 N/A C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\miqtbjpz\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ierdlopw.exe" C:\Windows\SysWOW64\miqtbjpz\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create miqtbjpz binPath= "C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description miqtbjpz "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start miqtbjpz

C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe

C:\Windows\SysWOW64\miqtbjpz\ierdlopw.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcdc08d7a2a8a7bf9e9c13f7fc0f98cabe9cf01b9393385d99dc78d7aae7635d.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1164

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.236.44.162:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 162.44.236.20.in-addr.arpa udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.204.79:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.27.27:25 smtp.google.com tcp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 oxxyfix.xyz udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 mubrikych.top udp
US 8.8.8.8:53 mubrikych.top udp

Files

memory/460-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/460-2-0x00000000020E0000-0x00000000020F3000-memory.dmp

memory/460-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ierdlopw.exe

MD5 a89383dc7f22cf5ddf5ed9cea340628e
SHA1 05214c4f3c5cd86114959395528d1ebdfefe4f77
SHA256 2c8432b6d81b09b025b42c0bd19c35e1cc50ad943715084b4fb2c0e8219868c5
SHA512 70d6c8061896a0927925840cbbd5b617c6f103af16b41b0ce5f513fed3a24705d3ff4f70e2c4fe62430b70ff83c55f2fa59b5841e34c2e9a79d4f5f0a0c525e9

memory/460-9-0x0000000000400000-0x0000000000415000-memory.dmp

memory/460-8-0x00000000020E0000-0x00000000020F3000-memory.dmp

memory/460-7-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4356-11-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/2808-14-0x0000000001280000-0x0000000001295000-memory.dmp

memory/2808-16-0x0000000001280000-0x0000000001295000-memory.dmp

memory/4356-13-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4356-12-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/4356-19-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/2808-17-0x0000000001280000-0x0000000001295000-memory.dmp