Overview

overview

10

Static

static

3

0e2f6a22fb...18.exe

windows7-x64

10

0e2f6a22fb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e2f6a22fb2c1ee834e3bb94a17fd98e_JaffaCakes118.exe

  • Size

    170KB

  • MD5

    0e2f6a22fb2c1ee834e3bb94a17fd98e

  • SHA1

    17963e95dc4076646a867ced2923b83b3f4d9391

  • SHA256

    e0e9b2c08708db4d612eab542b25d89fa9c96737278650b25799c72b394754af

  • SHA512

    442326bf359037f1433fb391eefdfc048ab46ed3f19109cd8d5318b0e9d43f09bed055cbf28704b92cce7c76b721b62f6bc50546ed3577235428ba8de68e26a3

  • SSDEEP

    3072:+yyL6e5KJOUM8GXLimIm+lLUntmwRYHPesOZUI5upr6rxE:+rWe8oiGUir5tm

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e2f6a22fb2c1ee834e3bb94a17fd98e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e2f6a22fb2c1ee834e3bb94a17fd98e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Local\Temp\0e2f6a22fb2c1ee834e3bb94a17fd98e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0e2f6a22fb2c1ee834e3bb94a17fd98e_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\ebnc.exe
        "C:\Users\Admin\ebnc.exe" /r
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\ebnc.exe
          "C:\Users\Admin\ebnc.exe" /r
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
              PID:2604
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\6421.bat" "
          3⤵
          • Deletes itself
          PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6421.bat
      Filesize

      117B

      MD5

      0f1b739d6ddd0c30b87289281bf22b9f

      SHA1

      263b16cafcf98e33fd6b280398a98a274162bf2f

      SHA256

      c0dfc6e415eb41d361a9a3f3406b8739486af27558de225f9b7ff121ae21b0bb

      SHA512

      23d168dc8a712030cbf08226198dd1952b20342835f0cb4f9f214613efb01d70185facf17aeeca40fecc7c289459fac50dd0a9fdb63b9512ba13101d8d6fe850

      Download Submit

    • \Users\Admin\ebnc.exe
      Filesize

      170KB

      MD5

      0e2f6a22fb2c1ee834e3bb94a17fd98e

      SHA1

      17963e95dc4076646a867ced2923b83b3f4d9391

      SHA256

      e0e9b2c08708db4d612eab542b25d89fa9c96737278650b25799c72b394754af

      SHA512

      442326bf359037f1433fb391eefdfc048ab46ed3f19109cd8d5318b0e9d43f09bed055cbf28704b92cce7c76b721b62f6bc50546ed3577235428ba8de68e26a3

      Download Submit

    • memory/1520-5-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-8-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-10-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-2-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-12-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-0-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-13-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-6-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-59-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2296-39-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-43-0x0000000000080000-0x0000000000090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-51-0x0000000000080000-0x0000000000090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-47-0x0000000000080000-0x0000000000090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-61-0x0000000000080000-0x0000000000090000-memory.dmp

      Filesize

      64KB

      Download