Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 13:48
Static task
static1
Behavioral task
behavioral1
Sample
85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe
-
Size
12.7MB
-
MD5
85c28ed504a9641d91449cc374bfdf3f
-
SHA1
32bf88471d0c2f15bb525fd71eb75c9fc484a998
-
SHA256
2f1e0eb9ed8589890be9756528e46acfc275a2bb5b797c370c6b95a9f6e8eb61
-
SHA512
3c23870ce8685421a8f82a4eed8e9309aa649a364750ecdc0bb2607584b00de0e9cefff1db9f67a8d19f7e09c2e9d32b47d0d5c7cabe758a29c3f35d8dd968ec
-
SSDEEP
6144:evk9RADRUv1CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCn:HRAD
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\wmstoxjq = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3016 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wmstoxjq\ImagePath = "C:\\Windows\\SysWOW64\\wmstoxjq\\nsffihxc.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2156 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3008 nsffihxc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3008 set thread context of 2156 3008 nsffihxc.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2620 sc.exe 2808 sc.exe 2944 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsffihxc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2608 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 30 PID 2636 wrote to memory of 2608 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 30 PID 2636 wrote to memory of 2608 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 30 PID 2636 wrote to memory of 2608 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 30 PID 2636 wrote to memory of 2336 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 32 PID 2636 wrote to memory of 2336 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 32 PID 2636 wrote to memory of 2336 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 32 PID 2636 wrote to memory of 2336 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 32 PID 2636 wrote to memory of 2620 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 34 PID 2636 wrote to memory of 2620 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 34 PID 2636 wrote to memory of 2620 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 34 PID 2636 wrote to memory of 2620 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 34 PID 2636 wrote to memory of 2808 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 36 PID 2636 wrote to memory of 2808 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 36 PID 2636 wrote to memory of 2808 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 36 PID 2636 wrote to memory of 2808 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 36 PID 2636 wrote to memory of 2944 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 38 PID 2636 wrote to memory of 2944 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 38 PID 2636 wrote to memory of 2944 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 38 PID 2636 wrote to memory of 2944 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 38 PID 3008 wrote to memory of 2156 3008 nsffihxc.exe 41 PID 3008 wrote to memory of 2156 3008 nsffihxc.exe 41 PID 3008 wrote to memory of 2156 3008 nsffihxc.exe 41 PID 3008 wrote to memory of 2156 3008 nsffihxc.exe 41 PID 3008 wrote to memory of 2156 3008 nsffihxc.exe 41 PID 3008 wrote to memory of 2156 3008 nsffihxc.exe 41 PID 2636 wrote to memory of 3016 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 42 PID 2636 wrote to memory of 3016 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 42 PID 2636 wrote to memory of 3016 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 42 PID 2636 wrote to memory of 3016 2636 85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wmstoxjq\2⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nsffihxc.exe" C:\Windows\SysWOW64\wmstoxjq\2⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wmstoxjq binPath= "C:\Windows\SysWOW64\wmstoxjq\nsffihxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wmstoxjq "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wmstoxjq2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\SysWOW64\wmstoxjq\nsffihxc.exeC:\Windows\SysWOW64\wmstoxjq\nsffihxc.exe /d"C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.9MB
MD5d2bfd6743d40506362821f3e0758d2f2
SHA1fa7e59f80e6b5ccb6d819882dd21817384adfc7d
SHA25681b702b3f35f56e87119ac084008c241cdd935220b18e25794953d97b78e2c2c
SHA512dede2983d7149083c8523ad5c160f62f05f6fd996e81e2270364c25e0d2abab3db5993d5431245f568c1847f4bef1c61682cf167c24f0f8115e769dc9c2e03a1