Overview

overview

10

Static

static

3

f7baffc6d2...18.exe

windows7-x64

10

f7baffc6d2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe

  • Size

    11.3MB

  • MD5

    f7baffc6d2cfb545920c4a09c852b138

  • SHA1

    8c8064183e636a58f6e8cc12eb3c4a60ba1a34bd

  • SHA256

    49dab872a5b2e9907b73be258b4bbba2f86677af674ed12a6a3f40b3e7543c84

  • SHA512

    85007d6de19c3f2db2ba6a26a23832fbb8ed13e8d5584792d33262557eca363b2c285e9d9e56a492f8792f81eeb2723d18c8ed9d05b1c66305229bf88aa9bac4

  • SSDEEP

    49152:fOawK7777777777777777777777777777777777777777777777777777777777f:fm

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jhswukte\
      2⤵
        PID:1052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gfrnscmz.exe" C:\Windows\SysWOW64\jhswukte\
        2⤵
          PID:3640
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jhswukte binPath= "C:\Windows\SysWOW64\jhswukte\gfrnscmz.exe /d\"C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3668
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description jhswukte "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2248
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start jhswukte
          2⤵
          • Launches sc.exe
          PID:2380
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1036
          2⤵
          • Program crash
          PID:3968
      • C:\Windows\SysWOW64\jhswukte\gfrnscmz.exe
        C:\Windows\SysWOW64\jhswukte\gfrnscmz.exe /d"C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4720
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 520
          2⤵
          • Program crash
          PID:1764
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1284 -ip 1284
        1⤵
          PID:2264
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2296 -ip 2296
          1⤵
            PID:3032

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Impair Defenses

          1
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\gfrnscmz.exe
            Filesize

            11.5MB

            MD5

            599a0d2650ebeb4f8caad2a57db1e228

            SHA1

            b2bf4aff89d049e9e5dc96601e2730223ecfb487

            SHA256

            df226cfc70af7e19b01b7bb1f2e1e5adbf543774ab8d2ec57b907094f6971dd3

            SHA512

            6f9980f2cfb2e2c1ee32847d354cc97dacd5829c97cee1a40cc1aef28401e00e9a8ad369e9134c6ddd59600d031697d5bc39b9c6add609494717189d39b25146

            Download Submit
          • memory/1284-1-0x0000000000570000-0x0000000000670000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1284-2-0x00000000004C0000-0x00000000004D3000-memory.dmp
            Filesize

            76KB

            Download
          • memory/1284-3-0x0000000000400000-0x000000000044E000-memory.dmp
            Filesize

            312KB

            Download
          • memory/1284-7-0x0000000000400000-0x000000000044E000-memory.dmp
            Filesize

            312KB

            Download
          • memory/1284-8-0x00000000004C0000-0x00000000004D3000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2296-10-0x00000000005C0000-0x00000000006C0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/2296-11-0x0000000000400000-0x000000000044E000-memory.dmp
            Filesize

            312KB

            Download
          • memory/2296-17-0x0000000000400000-0x000000000044E000-memory.dmp
            Filesize

            312KB

            Download
          • memory/4720-12-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4720-15-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4720-16-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4720-18-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4720-19-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download