Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 21:36

General

  • Target

    f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe

  • Size

    13.4MB

  • MD5

    f8cc259a0c835f7c01a3d4a76fbbf0e9

  • SHA1

    37bd6f7e3c970355684bbe521ade1bef750cea74

  • SHA256

    d070f43729c000ac138d6666b1ec932d5b513f94fd4eeba1f549811146a25a01

  • SHA512

    fadab6c9f3a4bba02ce0ea4a967aba52ed04ce0096796bce8d2cf66ff91a45767cde6ed646d672355afc74791f377fa2c02b499c6c2eb6490f7c7674396dce63

  • SSDEEP

    24576:5Uqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmH:5F15

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zsrxnaip\
      2⤵
        PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\veqwgbxn.exe" C:\Windows\SysWOW64\zsrxnaip\
        2⤵
          PID:1968
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zsrxnaip binPath= "C:\Windows\SysWOW64\zsrxnaip\veqwgbxn.exe /d\"C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2520
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description zsrxnaip "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2676
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start zsrxnaip
          2⤵
          • Launches sc.exe
          PID:2568
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2544
      • C:\Windows\SysWOW64\zsrxnaip\veqwgbxn.exe
        C:\Windows\SysWOW64\zsrxnaip\veqwgbxn.exe /d"C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\veqwgbxn.exe

        Filesize

        10.0MB

        MD5

        be90322f34ea4117afe828b2bc65de3e

        SHA1

        f6f0310419ba7ba88d14783df434a25ba436e5d4

        SHA256

        ea00bb468b500c73746846b22935d2d394d44f3bf313917255f04b61e0c83a1f

        SHA512

        66a4f0c69c29fdd73b66c32435f5be702d0568568effad86d6245c18d8d37f88c5190586eb4f40edeefac1501c7a7c7880ce497b512bf7e33f96641c73cff9e2

      • memory/2584-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2584-10-0x0000000000090000-0x00000000000A5000-memory.dmp

        Filesize

        84KB

      • memory/2584-13-0x0000000000090000-0x00000000000A5000-memory.dmp

        Filesize

        84KB

      • memory/2584-20-0x0000000000090000-0x00000000000A5000-memory.dmp

        Filesize

        84KB

      • memory/2584-21-0x0000000000090000-0x00000000000A5000-memory.dmp

        Filesize

        84KB

      • memory/2584-22-0x0000000000090000-0x00000000000A5000-memory.dmp

        Filesize

        84KB

      • memory/2740-15-0x00000000008D0000-0x00000000009D0000-memory.dmp

        Filesize

        1024KB

      • memory/2740-16-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2788-3-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2788-2-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

      • memory/2788-6-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2788-9-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

      • memory/2788-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

        Filesize

        1024KB