Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 00:52

General

  • Target

    f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe

  • Size

    10.6MB

  • MD5

    f2500e9a3134b4790760b2ef60c0144b

  • SHA1

    1c3f9aaa8988227ebad2686e977533d53e51b162

  • SHA256

    064748a64b3e6198f3f9b3821f8aa4b74ee9d687503a1e9ded2926308a86517f

  • SHA512

    ba69ce0db33d4691641f7dbdc4ae3b2a582e1a47d12d606b0ba1761bf5d442f3e772aeb7327c6ea6293144c3ccb923d86e578db6e3a96f8537584d342576173a

  • SSDEEP

    24576:AerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:AsW

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bunksdbo\
      2⤵
        PID:3164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqzherdx.exe" C:\Windows\SysWOW64\bunksdbo\
        2⤵
          PID:736
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create bunksdbo binPath= "C:\Windows\SysWOW64\bunksdbo\yqzherdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3388
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description bunksdbo "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2320
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start bunksdbo
          2⤵
          • Launches sc.exe
          PID:3608
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2280
      • C:\Windows\SysWOW64\bunksdbo\yqzherdx.exe
        C:\Windows\SysWOW64\bunksdbo\yqzherdx.exe /d"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:5068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\yqzherdx.exe

        Filesize

        10.8MB

        MD5

        1c9e17089fc5153538255a5a42877db3

        SHA1

        a551b4a07a44ff766d584f77b448d3d705f06d77

        SHA256

        67aa33017e5798bc67b434b573ef8b04f1fad4671fea6303fde4381c9e457695

        SHA512

        a125eefe402cc246f310bdc8e2e846f66e07d27a0e02463af302e82db09977484be1e133629adbfb976258108c2b43f9e2a332eee23c78901d1f091efe1f3010

      • memory/868-15-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/868-2-0x0000000002070000-0x0000000002083000-memory.dmp

        Filesize

        76KB

      • memory/868-23-0x00000000005B0000-0x00000000006B0000-memory.dmp

        Filesize

        1024KB

      • memory/868-4-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/868-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

        Filesize

        1024KB

      • memory/3880-18-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/3880-8-0x00000000004D0000-0x00000000005D0000-memory.dmp

        Filesize

        1024KB

      • memory/3880-9-0x00000000005F0000-0x0000000000603000-memory.dmp

        Filesize

        76KB

      • memory/3880-11-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/5068-14-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

        Filesize

        84KB

      • memory/5068-17-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

        Filesize

        84KB

      • memory/5068-16-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

        Filesize

        84KB

      • memory/5068-10-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

        Filesize

        84KB

      • memory/5068-25-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

        Filesize

        84KB