Overview

overview

10

Static

static

3

eb65763fbd...18.exe

windows7-x64

10

eb65763fbd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe

  • Size

    900KB

  • MD5

    eb65763fbd4c28c3afac6d08ab63c318

  • SHA1

    9297b49103ab3beff2851a441b4458a58a986fcc

  • SHA256

    2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff

  • SHA512

    3397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288

  • SSDEEP

    12288:W22iNv4sjaq8c+6Rq0mHtRAex8AIb2IRzQqX2Su9Oqql6c+NnHIbwhgT16Ovl:R1usjatrgPeyNcqXMjqlxEH+wlO

Score
10/10
toxiceyeevasionrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1912175024:AAFyX2DSTB35kTZDCQUzmiHwTx6F5gwOlaE/sendMessage?chat_id=1854909459

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEAAE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3428
    • C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe
      "{path}"
      2⤵
        PID:2932
      • C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4508
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF898.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF898.tmp.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\SysWOW64\tasklist.exe
            Tasklist /fi "PID eq 3424"
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1468
          • C:\Windows\SysWOW64\find.exe
            find ":"
            4⤵
              PID:856
            • C:\Windows\SysWOW64\timeout.exe
              Timeout /T 1 /Nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:632
            • C:\Users\ToxicEye\rat.exe
              "rat.exe"
              4⤵
              • Looks for VirtualBox Guest Additions in registry
              • Looks for VMWare Tools registry key
              • Checks BIOS information in registry
              • Checks computer location settings
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3260
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA042.tmp"
                5⤵
                • Creates scheduled task(s)
                PID:4324
              • C:\Users\ToxicEye\rat.exe
                "{path}"
                5⤵
                • Executes dropped EXE
                PID:2220
              • C:\Users\ToxicEye\rat.exe
                "{path}"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3828
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
                  6⤵
                  • Creates scheduled task(s)
                  PID:4928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe.log
        Filesize

        1KB

        MD5

        e08f822522c617a40840c62e4b0fb45e

        SHA1

        ae516dca4da5234be6676d3f234c19ec55725be7

        SHA256

        bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

        SHA512

        894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpEAAE.tmp
        Filesize

        1KB

        MD5

        833ff643adca72b09345825ae253c722

        SHA1

        de1c07138670bfca1909a2592649f8ba5b47666d

        SHA256

        b6ad0c3b23932de48215bc48410446af3a6076da2ab52003b5739c4a382b6908

        SHA512

        23825f2fd372190a2cbe19e6c58e41db2913d2794ec1252284fdd010993b7dd42f5dd5900711d769a1e1c0ede7757bf042997cc19ef4d8b87c9d69507f486211

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF898.tmp.bat
        Filesize

        223B

        MD5

        9c539efb6d7712ab53af032aa206d896

        SHA1

        701787be159b5a0dff2e4507ead31bd1a86f6441

        SHA256

        4ca9d3bc74f3bc44c4574b2af5a6d4e3cc1512058ed1412ef10823744332ced3

        SHA512

        40ae6583acfb4a1ac6fb1604c828243f6b928e6097e75260b1292a352e7215e33e5eb3f47c0becef63781989cf7039accadc0780dc6212d2fa07fdddf9f173d9

        Download Submit

      • C:\Users\ToxicEye\rat.exe
        Filesize

        900KB

        MD5

        eb65763fbd4c28c3afac6d08ab63c318

        SHA1

        9297b49103ab3beff2851a441b4458a58a986fcc

        SHA256

        2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff

        SHA512

        3397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288

        Download Submit

      • memory/2472-7-0x00000000083C0000-0x000000000845C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2472-11-0x000000000AF60000-0x000000000AFCA000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2472-6-0x0000000005DA0000-0x0000000005DA8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2472-1-0x00000000750E0000-0x0000000075890000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2472-8-0x00000000750E0000-0x0000000075890000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2472-9-0x00000000059D0000-0x00000000059E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-10-0x00000000089F0000-0x0000000008AA8000-memory.dmp

        Filesize

        736KB

        Download

      • memory/2472-2-0x0000000006030000-0x00000000065D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2472-12-0x000000000DFD0000-0x000000000E036000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2472-4-0x00000000059D0000-0x00000000059E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-5-0x0000000005A00000-0x0000000005A0A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2472-18-0x00000000750E0000-0x0000000075890000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2472-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2472-0-0x0000000000F60000-0x0000000001046000-memory.dmp

        Filesize

        920KB

        Download

      • memory/3260-30-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3260-29-0x00000000750D0000-0x0000000075880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3260-31-0x00000000750D0000-0x0000000075880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3260-32-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3260-40-0x00000000750D0000-0x0000000075880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3424-24-0x00000000750E0000-0x0000000075890000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3424-21-0x00000000058C0000-0x00000000058D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3424-20-0x00000000750E0000-0x0000000075890000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3424-16-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3828-41-0x00000000750D0000-0x0000000075880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3828-42-0x0000000001000000-0x0000000001010000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3828-43-0x00000000750D0000-0x0000000075880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3828-44-0x0000000001000000-0x0000000001010000-memory.dmp

        Filesize

        64KB

        Download