Overview

overview

10

Static

static

3

f46546906c...18.exe

windows7-x64

10

f46546906c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f46546906c3dcd4743698822d7caa78b_JaffaCakes118.exe

  • Size

    12.4MB

  • MD5

    f46546906c3dcd4743698822d7caa78b

  • SHA1

    db1a2370650583b6a8e4db11e7c9392ec57c1fd9

  • SHA256

    229ed2d5a7975a4e8ed4d256b164708b0ba3f9051384c73e6a0061d810ddbb45

  • SHA512

    73c1dd0a4496411a9b0696a9afcbbd266ef3cc84f4b8e601b40d75e2321fd6158ea3e5950af3a6ff98c81ba021139364d3e12ba3076d6b1654052322c8edc079

  • SSDEEP

    12288:ABgw6aInPRfmCzFT+PUvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv:pw6tHRT+P

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f46546906c3dcd4743698822d7caa78b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f46546906c3dcd4743698822d7caa78b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wgmniger\
      2⤵
        PID:1436
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ogpxuhtn.exe" C:\Windows\SysWOW64\wgmniger\
        2⤵
          PID:4848
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create wgmniger binPath= "C:\Windows\SysWOW64\wgmniger\ogpxuhtn.exe /d\"C:\Users\Admin\AppData\Local\Temp\f46546906c3dcd4743698822d7caa78b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2528
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description wgmniger "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4288
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start wgmniger
          2⤵
          • Launches sc.exe
          PID:5000
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1044
          2⤵
          • Program crash
          PID:3324
      • C:\Windows\SysWOW64\wgmniger\ogpxuhtn.exe
        C:\Windows\SysWOW64\wgmniger\ogpxuhtn.exe /d"C:\Users\Admin\AppData\Local\Temp\f46546906c3dcd4743698822d7caa78b_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 508
          2⤵
          • Program crash
          PID:3440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2420 -ip 2420
        1⤵
          PID:5036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4968 -ip 4968
          1⤵
            PID:5100

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ogpxuhtn.exe
            Filesize

            12.8MB

            MD5

            de0223df0a4a7aa203668be2b094eecb

            SHA1

            dd1a6099d713c558ed0b07be9c3156a72f117fc1

            SHA256

            a2a14f10bb27fc09773efe3c17ebb0d9e9b36a7fdab02edd7f36c1a5dfda46d7

            SHA512

            0bc47484579d41443b4d5bee13bfa878e3bf5ce950ee0f1b3d57acb38ade030462bdc7c357092fe782f540a33933e7e3ff60b82082915a618a360af1cb9a9c9d

            Download Submit
          • memory/1240-15-0x0000000000440000-0x0000000000455000-memory.dmp
            Filesize

            84KB

            Download
          • memory/1240-12-0x0000000000440000-0x0000000000455000-memory.dmp
            Filesize

            84KB

            Download
          • memory/1240-17-0x0000000000440000-0x0000000000455000-memory.dmp
            Filesize

            84KB

            Download
          • memory/1240-18-0x0000000000440000-0x0000000000455000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2420-4-0x0000000000400000-0x0000000000456000-memory.dmp
            Filesize

            344KB

            Download
          • memory/2420-2-0x00000000005F0000-0x0000000000603000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2420-8-0x0000000000400000-0x0000000000456000-memory.dmp
            Filesize

            344KB

            Download
          • memory/2420-9-0x00000000005F0000-0x0000000000603000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2420-1-0x0000000000700000-0x0000000000800000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/4968-10-0x0000000000470000-0x0000000000570000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/4968-11-0x0000000000400000-0x0000000000456000-memory.dmp
            Filesize

            344KB

            Download
          • memory/4968-16-0x0000000000400000-0x0000000000456000-memory.dmp
            Filesize

            344KB

            Download