Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 16:32

General

  • Target

    edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe

  • Size

    212KB

  • MD5

    edfdef59f92fee006518e57f2f8f01b8

  • SHA1

    3b8065cd942b517b402af0cc93f41c0dfdd5dd15

  • SHA256

    ae5169a9295d294594533c5cce04ff557eddeea30963e2eb81f5df6cdb6304cd

  • SHA512

    f3b78c90f28047c6a8ac97a25fce50a002b718b451eb5c66edf39cd4a510dd3d95f652a1839b3c41d07033e00ca6d76ec41d2b6b01532430c6d80cbfbd62ff07

  • SSDEEP

    3072:3d09mZ3vD7RpNh8xvv5z2LizudUfgF8qNO5GM5aEADQbkt/KyJh045Fmxb5k6Toc:3d09mVr7RLh8p5z2OCdULWvDTJle98c

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Users\Admin\duvlieg.exe
        "C:\Users\Admin\duvlieg.exe" /r
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Users\Admin\duvlieg.exe
          "C:\Users\Admin\duvlieg.exe" /r
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4680
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:404
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 212
              6⤵
              • Program crash
              PID:4928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8232.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1400
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
    1⤵
      PID:4432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8232.bat

      Filesize

      117B

      MD5

      8e1385d471972c513b646b1afe8b9f04

      SHA1

      6777cb18728eccc0fea95f85923690acc5ba7ad7

      SHA256

      48f71c9f5df68a300d6dcffbfbf06eefc0c7cdaadddfcaf6b49c1a7bcff50749

      SHA512

      389044bf2e4762a0d1db821e66e2c77f8451c52050111df8bac7621c0c19b01778df1192c662c6cf03c6f9b8a7311b43551e7dff16997b8e6f4cf2a0060e4b1f

    • C:\Users\Admin\duvlieg.exe

      Filesize

      212KB

      MD5

      edfdef59f92fee006518e57f2f8f01b8

      SHA1

      3b8065cd942b517b402af0cc93f41c0dfdd5dd15

      SHA256

      ae5169a9295d294594533c5cce04ff557eddeea30963e2eb81f5df6cdb6304cd

      SHA512

      f3b78c90f28047c6a8ac97a25fce50a002b718b451eb5c66edf39cd4a510dd3d95f652a1839b3c41d07033e00ca6d76ec41d2b6b01532430c6d80cbfbd62ff07

    • memory/404-13-0x0000000000880000-0x0000000000890000-memory.dmp

      Filesize

      64KB

    • memory/404-18-0x0000000000880000-0x0000000000890000-memory.dmp

      Filesize

      64KB

    • memory/404-26-0x0000000000880000-0x0000000000890000-memory.dmp

      Filesize

      64KB

    • memory/404-27-0x0000000002800000-0x0000000002801000-memory.dmp

      Filesize

      4KB

    • memory/404-28-0x0000000000880000-0x0000000000890000-memory.dmp

      Filesize

      64KB

    • memory/404-29-0x0000000000880000-0x0000000000890000-memory.dmp

      Filesize

      64KB

    • memory/3112-0-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/3112-2-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/3112-23-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/4680-12-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB