Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 17:55

General

  • Target

    f1a4db415a4dd63a80f0b8cc7a2d2362_JaffaCakes118.exe

  • Size

    11.1MB

  • MD5

    f1a4db415a4dd63a80f0b8cc7a2d2362

  • SHA1

    d1287fa03a80d1626605431cd341e9d5049afba5

  • SHA256

    87140618703529cf84c6e119ecde2b6faeabba17cd73a817ee17856b2692bb70

  • SHA512

    15a8b53f82a86fabc1a84f52b4b2fe5e59bac869d18996465b355932f7c286250790e54dada414afef270b9c31d5bd9cbfe2fc3aa0e20badc35b3f7f658dfdf5

  • SSDEEP

    12288:WiuYCjGjdPej7mB+DCXRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFJ:RCjGDoD

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1a4db415a4dd63a80f0b8cc7a2d2362_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1a4db415a4dd63a80f0b8cc7a2d2362_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xtcdfzlq\
      2⤵
        PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lypyqdfz.exe" C:\Windows\SysWOW64\xtcdfzlq\
        2⤵
          PID:2944
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xtcdfzlq binPath= "C:\Windows\SysWOW64\xtcdfzlq\lypyqdfz.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1a4db415a4dd63a80f0b8cc7a2d2362_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2608
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description xtcdfzlq "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2476
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start xtcdfzlq
          2⤵
          • Launches sc.exe
          PID:2356
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2600
      • C:\Windows\SysWOW64\xtcdfzlq\lypyqdfz.exe
        C:\Windows\SysWOW64\xtcdfzlq\lypyqdfz.exe /d"C:\Users\Admin\AppData\Local\Temp\f1a4db415a4dd63a80f0b8cc7a2d2362_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
            PID:2364

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lypyqdfz.exe

          Filesize

          11.2MB

          MD5

          702a8c82b7c7bb11b56695e1059ecc46

          SHA1

          d662ad72e5a93d334d057291d06d12c8fb819199

          SHA256

          6c3e68d8f3952daa0093b672b61ddb809756324127d40243fc25a9d82099b13c

          SHA512

          83378d61fdca534d9aa5a895be181f39e8a5c79c911edb18663e7dfeb4281f32f3b3c361a9d3ad00013187abf019255737323cf412982b1d3b5827f5ff3ccd76

        • memory/1664-1-0x0000000000250000-0x0000000000350000-memory.dmp

          Filesize

          1024KB

        • memory/1664-2-0x00000000003C0000-0x00000000003D3000-memory.dmp

          Filesize

          76KB

        • memory/1664-4-0x0000000000400000-0x00000000023AD000-memory.dmp

          Filesize

          31.7MB

        • memory/1664-6-0x0000000000400000-0x00000000023AD000-memory.dmp

          Filesize

          31.7MB

        • memory/1664-9-0x00000000003C0000-0x00000000003D3000-memory.dmp

          Filesize

          76KB

        • memory/2364-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2364-11-0x0000000000080000-0x0000000000095000-memory.dmp

          Filesize

          84KB

        • memory/2536-10-0x0000000002530000-0x0000000002630000-memory.dmp

          Filesize

          1024KB

        • memory/2536-14-0x0000000000400000-0x00000000023AD000-memory.dmp

          Filesize

          31.7MB

        • memory/2536-17-0x0000000002530000-0x0000000002630000-memory.dmp

          Filesize

          1024KB