Malware Analysis Report

2025-04-13 10:33

Sample ID 241230-af35js1nfm
Target JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24
SHA256 7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24

Threat Level: Known bad

The file JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24 was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Tofsee

Tofsee family

Windows security bypass

Creates new service(s)

Sets service image path in registry

Modifies Windows Firewall

Executes dropped EXE

Deletes itself

Checks computer location settings

Suspicious use of SetThreadContext

Launches sc.exe

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 00:10

Reported

2024-12-30 00:12

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe"

Signatures

Tofsee

trojan tofsee

Tofsee family

tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hcdpxuiv = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hcdpxuiv\ImagePath = "C:\\Windows\\SysWOW64\\hcdpxuiv\\rglmgork.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2552 set thread context of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 2664 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 2664 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 2664 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 2664 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 2552 wrote to memory of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe
PID 2552 wrote to memory of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe
PID 2552 wrote to memory of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe
PID 2552 wrote to memory of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe
PID 2552 wrote to memory of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe
PID 2552 wrote to memory of 1588 N/A C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hcdpxuiv\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rglmgork.exe" C:\Windows\SysWOW64\hcdpxuiv\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create hcdpxuiv binPath= "C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description hcdpxuiv "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start hcdpxuiv

C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe

C:\Windows\SysWOW64\hcdpxuiv\rglmgork.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
NL 20.76.201.171:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.40.26:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 98.136.96.76:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.102.27:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp

Files

memory/2664-0-0x0000000000220000-0x000000000022D000-memory.dmp

memory/2664-1-0x0000000000230000-0x0000000000243000-memory.dmp

memory/2664-2-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rglmgork.exe

MD5 2a1d5014b8c0c6d6394b8dea0b1c7fdf
SHA1 b45493ee10b31fd77de70c9cefe7f8449e237f50
SHA256 1d7f72bfe02ecd88507fb0f2be2dc37b97e2b92ab62754b6e2bcc9f9833ed9ce
SHA512 310846268324481b2beaf5d45d80ee4f87fceb8d7c12433f7e0d99042e31da90ebbbfec8d26bdc3058c42a89387d8b9cec1b4c411fb442049fa245d3f0d40b2c

memory/2664-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2664-7-0x0000000000230000-0x0000000000243000-memory.dmp

memory/2664-6-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1588-14-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1588-12-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1588-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1588-9-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2552-15-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1588-16-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 00:10

Reported

2024-12-30 00:12

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe"

Signatures

Tofsee

trojan tofsee

Tofsee family

tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xhpulqh\ImagePath = "C:\\Windows\\SysWOW64\\xhpulqh\\sbksgygp.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1748 set thread context of 1620 N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\sc.exe
PID 1240 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 1620 N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe C:\Windows\SysWOW64\svchost.exe
PID 1748 wrote to memory of 1620 N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe C:\Windows\SysWOW64\svchost.exe
PID 1748 wrote to memory of 1620 N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe C:\Windows\SysWOW64\svchost.exe
PID 1748 wrote to memory of 1620 N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe C:\Windows\SysWOW64\svchost.exe
PID 1748 wrote to memory of 1620 N/A C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xhpulqh\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sbksgygp.exe" C:\Windows\SysWOW64\xhpulqh\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create xhpulqh binPath= "C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description xhpulqh "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start xhpulqh

C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe

C:\Windows\SysWOW64\xhpulqh\sbksgygp.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce7daef52a1c8726226d122f5f8c9233125559a520122df725a9cc95c92bb24.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1240 -ip 1240

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1748 -ip 1748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.228.94:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 196.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.27.26:25 smtp.google.com tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp

Files

memory/1240-0-0x0000000002190000-0x000000000219D000-memory.dmp

memory/1240-1-0x00000000021A0000-0x00000000021B3000-memory.dmp

memory/1240-2-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sbksgygp.exe

MD5 fd3e56c3a13c2e03c2de5b5b99284a6e
SHA1 17a1c410fdccbdd55e5984137c085d245cb8ce2b
SHA256 365e683a259353e5b2664903617dcdf0a98a96787018657ee76fc5d2897a3854
SHA512 8292a9c03c0c6487dcbe6c25d5d1bbc8f493905e77b7dd1ec305707a64028e67cfbaaf966f3825845c315e4553c4b93609b8c270c3268db2040702451abb85d1

memory/1748-6-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1748-7-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1748-8-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1620-9-0x0000000000E90000-0x0000000000EA5000-memory.dmp

memory/1620-12-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1240-13-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1240-16-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1748-18-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1240-15-0x00000000021A0000-0x00000000021B3000-memory.dmp

memory/1240-14-0x0000000002190000-0x000000000219D000-memory.dmp

memory/1620-19-0x0000000000E90000-0x0000000000EA5000-memory.dmp

memory/1620-20-0x0000000000E90000-0x0000000000EA5000-memory.dmp