Malware Analysis Report

2025-04-13 10:30

Sample ID 241229-ratglatjaz
Target JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86
SHA256 73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86

Threat Level: Known bad

The file JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86 was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Tofsee

Tofsee family

Windows security bypass

Creates new service(s)

Sets service image path in registry

Modifies Windows Firewall

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-29 13:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-29 13:59

Reported

2024-12-29 14:02

Platform

win7-20241010-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe"

Signatures

Tofsee

trojan tofsee

Tofsee family

tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dbhfjzbu = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dbhfjzbu\ImagePath = "C:\\Windows\\SysWOW64\\dbhfjzbu\\vocogacp.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2956 set thread context of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 2904 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 2904 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 2904 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 2904 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 2956 wrote to memory of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe
PID 2956 wrote to memory of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe
PID 2956 wrote to memory of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe
PID 2956 wrote to memory of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe
PID 2956 wrote to memory of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe
PID 2956 wrote to memory of 2740 N/A C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbhfjzbu\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vocogacp.exe" C:\Windows\SysWOW64\dbhfjzbu\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create dbhfjzbu binPath= "C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description dbhfjzbu "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start dbhfjzbu

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe

C:\Windows\SysWOW64\dbhfjzbu\vocogacp.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
AU 20.70.246.20:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.204.77:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.27.26:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp

Files

memory/2904-1-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2904-2-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2904-4-0x0000000000400000-0x0000000002B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vocogacp.exe

MD5 5b3fd14eff4d1a3a131db48a46d17de6
SHA1 ae66b71bbccadfe7a14efb03acc511699b126b14
SHA256 17c32f9cb84ff985141b9c518be8a0bc631484e49687682920c170159f8dbca7
SHA512 3e03314351a367b000cde57e1840b2990cca7ac8596f19a8d9816ea23dcce4fdffab4705e880fde5ba4dad2fca98cfc30c2a86a7a8e43a2580a5908e869c5a00

memory/2904-6-0x0000000000400000-0x0000000002B40000-memory.dmp

memory/2904-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2740-10-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2740-16-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2740-13-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2740-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2956-14-0x0000000000400000-0x0000000002B40000-memory.dmp

memory/2740-17-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-29 13:59

Reported

2024-12-29 14:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe"

Signatures

Tofsee

trojan tofsee

Tofsee family

tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nuelmtdk\ImagePath = "C:\\Windows\\SysWOW64\\nuelmtdk\\uniuyny.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 392 set thread context of 536 N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 1620 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 1620 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe C:\Windows\SysWOW64\netsh.exe
PID 392 wrote to memory of 536 N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 536 N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 536 N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 536 N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 536 N/A C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nuelmtdk\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uniuyny.exe" C:\Windows\SysWOW64\nuelmtdk\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create nuelmtdk binPath= "C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description nuelmtdk "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start nuelmtdk

C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe

C:\Windows\SysWOW64\nuelmtdk\uniuyny.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1620 -ip 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1340

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 516

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.8.49:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.228.111:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.102.27:25 smtp.google.com tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp

Files

memory/1620-2-0x00000000048A0000-0x00000000048B3000-memory.dmp

memory/1620-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/1620-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uniuyny.exe

MD5 f4485b2859bea22ed5b5afa924871e13
SHA1 a5e07976622dda771857e252ed14cf83b2d7937f
SHA256 82012f4a6d764b5c704bb24440c748f0fe3c0db517e8777f691491b9a11486b5
SHA512 c9055953b5b021b25e344e873498f127fe6605d9d2ca4d34be2ee6e5ba9673b73e7decf7cb2239980b83b915566d61a18213de8489cb0fcff3206017fb7ee8fd

memory/1620-9-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1620-8-0x00000000048A0000-0x00000000048B3000-memory.dmp

memory/1620-7-0x0000000000400000-0x0000000002B40000-memory.dmp

memory/536-13-0x0000000000C90000-0x0000000000CA5000-memory.dmp

memory/536-11-0x0000000000C90000-0x0000000000CA5000-memory.dmp

memory/536-14-0x0000000000C90000-0x0000000000CA5000-memory.dmp

memory/392-15-0x0000000000400000-0x0000000002B40000-memory.dmp