Overview

overview

10

Static

static

3

2b126fbd03...18.exe

windows7-x64

10

2b126fbd03...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe

  • Size

    99KB

  • MD5

    2b126fbd0352c9ec2f7833af3d0df7ca

  • SHA1

    3bf9cee470ad6cf126635570d89d9d9f30cef386

  • SHA256

    3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f

  • SHA512

    0dfb908197503bf9c1c9deeb015504d1b51d4c00857b34c3862f6c7fd9a4423acb0a068f1b63e2d6757b4c89f2d993e7913767c24d32763afd5e3c1ec43bdcc7

  • SSDEEP

    1536:6Ti28Kx4Cm792SAYqEVvsQS5QqmHN4SMwOVth8+T96R9UB4xw7585yWvNtQ:6TJaCmgSAEsNdm26OV0uofUBCw7O5N/

Score
10/10
tofseeevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\adpxrakv\
      2⤵
        PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xzulcwdw.exe" C:\Windows\SysWOW64\adpxrakv\
        2⤵
          PID:212
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create adpxrakv binPath= "C:\Windows\SysWOW64\adpxrakv\xzulcwdw.exe /d\"C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:388
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description adpxrakv "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4128
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start adpxrakv
          2⤵
          • Launches sc.exe
          PID:3324
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3008
      • C:\Windows\SysWOW64\adpxrakv\xzulcwdw.exe
        C:\Windows\SysWOW64\adpxrakv\xzulcwdw.exe /d"C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4364

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      System Services

      1
      T1569

      Service Execution

      1
      T1569.002

      Persistence

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xzulcwdw.exe
        Filesize

        11.9MB

        MD5

        9d658d67d80404160208b5f66ba93551

        SHA1

        b62f9fc79c7637b749fd1546ceb95e7e0f65f3de

        SHA256

        82f0b4b66761a5c6d59556f2e7d3ba63f047c667574920da10866008b77bfcf7

        SHA512

        150578aae265e394562f4518aaf8f24ef37d10a58c52efc5d9288823d7235e6bf11248e3144e4e7282b3272f05cc870ec00665fd09e96400c164c4d54afd8ef6

        Download Submit
      • memory/64-13-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/64-2-0x0000000000780000-0x0000000000781000-memory.dmp
        Filesize

        4KB

        Download
      • memory/64-1-0x0000000002180000-0x0000000002181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/64-0-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1416-7-0x00000000009B0000-0x00000000009B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1416-6-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1416-10-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4364-8-0x0000000001040000-0x0000000001055000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4364-12-0x0000000001040000-0x0000000001055000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4364-14-0x0000000001040000-0x0000000001055000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4364-15-0x0000000001040000-0x0000000001055000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4364-16-0x0000000001040000-0x0000000001055000-memory.dmp
        Filesize

        84KB

        Download