Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 19:22

General

  • Target

    f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe

  • Size

    13.1MB

  • MD5

    f1bcb7d5244183f7769af344a006781e

  • SHA1

    9a4fb8b9d36d1093b907bd00beb2244d13383300

  • SHA256

    a76d1b8d639dd74017ff5501f34a3cb2b59a0730b87a3663c82137a523ef23e3

  • SHA512

    8976637ed27c92e7f1a036e33885091a075727d1b56b4ecccddb9b02121d54e539888ebe7ef09dca410691fa41311fdfe73cb69a96c8134e70130e69d77b54f5

  • SSDEEP

    49152:T1yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllln:TA

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qabeaorn\
      2⤵
        PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rtmxemaq.exe" C:\Windows\SysWOW64\qabeaorn\
        2⤵
          PID:2548
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qabeaorn binPath= "C:\Windows\SysWOW64\qabeaorn\rtmxemaq.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2656
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qabeaorn "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2560
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qabeaorn
          2⤵
          • Launches sc.exe
          PID:2636
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2444
      • C:\Windows\SysWOW64\qabeaorn\rtmxemaq.exe
        C:\Windows\SysWOW64\qabeaorn\rtmxemaq.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2424

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\rtmxemaq.exe

        Filesize

        10.7MB

        MD5

        3ca9bb853c4cbabec75ab94511b38313

        SHA1

        b02afa667ead88fe3e99487d1805cc75a0aee6a7

        SHA256

        52974b1e49c38a24763f0f1e65e805e3f8b5d71b7c855286467ae8f077909daf

        SHA512

        03ba77db69da13fc2a113d2ed30854c5753e9b9b464af9cbb2131fadd9e56ddaa4a256df7ec240536f9bde6216c2e5877cbe0969c95f0c5e8c63fccfabf5dd77

      • memory/2424-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2424-11-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2424-21-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2424-20-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2424-19-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2424-15-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2684-13-0x0000000000400000-0x0000000000C20000-memory.dmp

        Filesize

        8.1MB

      • memory/2684-10-0x0000000000D60000-0x0000000000E60000-memory.dmp

        Filesize

        1024KB

      • memory/2684-18-0x0000000000400000-0x0000000000C20000-memory.dmp

        Filesize

        8.1MB

      • memory/2940-4-0x0000000000400000-0x0000000000C20000-memory.dmp

        Filesize

        8.1MB

      • memory/2940-1-0x0000000000DD0000-0x0000000000ED0000-memory.dmp

        Filesize

        1024KB

      • memory/2940-8-0x0000000000DD0000-0x0000000000ED0000-memory.dmp

        Filesize

        1024KB

      • memory/2940-7-0x0000000000400000-0x0000000000C20000-memory.dmp

        Filesize

        8.1MB

      • memory/2940-3-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB