Overview

overview

10

Static

static

3

3ca8c8d37a...1b.exe

windows7-x64

10

3ca8c8d37a...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ca8c8d37aaf196e64823ea50c99f31b.exe

  • Size

    13.0MB

  • MD5

    3ca8c8d37aaf196e64823ea50c99f31b

  • SHA1

    77e4c78731986023345c93aae45916607be812b8

  • SHA256

    b4dd0c183d3d1773fa1c7d8bea616c7f1dfb88a976d3cf830e51a603d8ae2357

  • SHA512

    1ba499d0e8f3c253f4a5f16e7770150154f71809636e7967c74cc2caf1072da459c41aae6379f8e8d0d6e65f62daada99242e561fab2c25a6fa376bcb4c64709

  • SSDEEP

    6144:IxbQq7asTdx16ifogWuQK4ZpG3XQ4L0hlDF5r:8ashxM05WewpmAljr

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe
    "C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jifjooph\
      2⤵
        PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\erndlsnx.exe" C:\Windows\SysWOW64\jifjooph\
        2⤵
          PID:3068
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jifjooph binPath= "C:\Windows\SysWOW64\jifjooph\erndlsnx.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2180
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description jifjooph "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2748
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start jifjooph
          2⤵
          • Launches sc.exe
          PID:2612
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2764
      • C:\Windows\SysWOW64\jifjooph\erndlsnx.exe
        C:\Windows\SysWOW64\jifjooph\erndlsnx.exe /d"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2732

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\erndlsnx.exe
        Filesize

        93KB

        MD5

        fe5b1ccd1e0c1f3b9be934e71bb821d6

        SHA1

        8a420935b8241efa637f10643d1ae62b742f70ed

        SHA256

        5b7a28c253c833bf87f2698361ddd113c087717556cfc57f18a637a4b1fd8a14

        SHA512

        a3bbd0056bc2043eb355673d8aa87e9e47d622612a84e34a2d916f816e12649aa5d62574c42a607e3adab3c47218c953f69a86f39294a08d8daeff3ca51a3e4e

        Download Submit

      • memory/2240-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2240-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2240-9-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2240-8-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/2240-3-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/2272-16-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/2272-10-0x0000000000290000-0x0000000000390000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2272-12-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/2732-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2732-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2732-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2732-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2732-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2732-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2732-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download