Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 02:29

General

  • Target

    71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe

  • Size

    144KB

  • MD5

    71efd5f8d2ad4c891d4d52f2cce17561

  • SHA1

    f34013094d0de6756de5c4979181e1a468836454

  • SHA256

    62c10c55dac6618eff4716e89de4bae41c429102fae8cae2f0ffc86a05ad82e2

  • SHA512

    0f8bab954b18c6e57a3bd0b1b685a5c4d4b194ab30c4b0e8a192cf57d9343c33e7b3f2ed9cb8a815f931b702c528d01ac58f30b8bfa3921854b285cd899bd7b0

  • SSDEEP

    3072:XNfr+k4XY4h+PhzjzrOdt9lES2jbxWGqe:XNf14D+PhznrOdmSbGqe

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\ivansfyg.exe
      "C:\Users\Admin\ivansfyg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1920
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\4185.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4185.bat

    Filesize

    266B

    MD5

    9eea7abfb4d49faa6f8a741045e6ce12

    SHA1

    82300c781f27ed47fb876837e85d06aed51573ec

    SHA256

    e48bf0d52c54ac76446b6a2ba61381d831fe120d33df23635ee6d8ff5c1c3687

    SHA512

    82e6a16ec9550b8f63c60ed49e18a96110a42eca1eaece84b46d1a3f8064468be5b91de3464f6470612ae17f7d0f4933d0a61a49e96b9b4276f0bb11990636e9

  • \Users\Admin\ivansfyg.exe

    Filesize

    46.9MB

    MD5

    737f1b6c27f43893341d0015acadd199

    SHA1

    a0ffa614d0f809050c227eaafbf79749b9a79c78

    SHA256

    f89ace85448b4864d1071ec92a3e3a11f42cb23858a9a1a4914b492d0ee804e7

    SHA512

    f94fa8ff4dc2210b0a39977eb72405484b340bb55339a0b168d81516bfbc3b6265ac28f5d04c8453666e9fb620ba001b10aa5fa9285a8a8934b6c313ab2c8756

  • memory/1920-16-0x00000000000C0000-0x00000000000D2000-memory.dmp

    Filesize

    72KB

  • memory/1920-20-0x00000000000C0000-0x00000000000D2000-memory.dmp

    Filesize

    72KB

  • memory/1920-13-0x00000000000C0000-0x00000000000D2000-memory.dmp

    Filesize

    72KB

  • memory/1920-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1920-38-0x00000000000C0000-0x00000000000D2000-memory.dmp

    Filesize

    72KB

  • memory/1920-34-0x00000000000C0000-0x00000000000D2000-memory.dmp

    Filesize

    72KB

  • memory/1920-21-0x00000000000C0000-0x00000000000D2000-memory.dmp

    Filesize

    72KB

  • memory/1920-32-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

  • memory/1928-1-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1928-0-0x0000000000240000-0x0000000000252000-memory.dmp

    Filesize

    72KB

  • memory/1928-36-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1928-35-0x0000000000240000-0x0000000000252000-memory.dmp

    Filesize

    72KB

  • memory/2272-12-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2272-17-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2272-11-0x00000000003D0000-0x00000000003E2000-memory.dmp

    Filesize

    72KB