Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 00:52

General

  • Target

    f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe

  • Size

    10.6MB

  • MD5

    f2500e9a3134b4790760b2ef60c0144b

  • SHA1

    1c3f9aaa8988227ebad2686e977533d53e51b162

  • SHA256

    064748a64b3e6198f3f9b3821f8aa4b74ee9d687503a1e9ded2926308a86517f

  • SHA512

    ba69ce0db33d4691641f7dbdc4ae3b2a582e1a47d12d606b0ba1761bf5d442f3e772aeb7327c6ea6293144c3ccb923d86e578db6e3a96f8537584d342576173a

  • SSDEEP

    24576:AerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:AsW

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pnuednnm\
      2⤵
        PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xgwklzou.exe" C:\Windows\SysWOW64\pnuednnm\
        2⤵
          PID:1152
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create pnuednnm binPath= "C:\Windows\SysWOW64\pnuednnm\xgwklzou.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2292
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description pnuednnm "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2628
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start pnuednnm
          2⤵
          • Launches sc.exe
          PID:2564
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1172
      • C:\Windows\SysWOW64\pnuednnm\xgwklzou.exe
        C:\Windows\SysWOW64\pnuednnm\xgwklzou.exe /d"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xgwklzou.exe

        Filesize

        14.8MB

        MD5

        7f53a36ea851fea6d57d9230c93817e2

        SHA1

        9155c8bb26ea09fefa7505195dd140200f449138

        SHA256

        1859e848a83e4c4d9a7338f56d073b1a375f429d64563ebb2aa960b371d66c3f

        SHA512

        c20fd723e959be1315eada69b9edc1053d201eafd22f885d7b6c092c3ab221aa81fcb0b823354f6a26e65dbb7d1f2b8a80e96163350a1848710229e3aede4e01

      • memory/1356-1-0x0000000000250000-0x0000000000350000-memory.dmp

        Filesize

        1024KB

      • memory/1356-2-0x00000000003C0000-0x00000000003D3000-memory.dmp

        Filesize

        76KB

      • memory/1356-3-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1356-7-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1356-9-0x00000000003C0000-0x00000000003D3000-memory.dmp

        Filesize

        76KB

      • memory/2676-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2676-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2676-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2676-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2676-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2676-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2992-12-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/2992-10-0x0000000000610000-0x0000000000710000-memory.dmp

        Filesize

        1024KB

      • memory/2992-16-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB