Overview

overview

10

Static

static

3

86904bef92...18.exe

windows7-x64

3

86904bef92...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86904bef92845b067a76d08ade4cc08b_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    86904bef92845b067a76d08ade4cc08b

  • SHA1

    33ce7286d3a5f2cea3c5197e63fcbbc6effa026a

  • SHA256

    0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d

  • SHA512

    7db74feff0246d8d5564cccbd23dcc555147881c7733f79c6013f9dcfae4f5f8d2fdde28722794665c73fdf85dd5f5d0a895fb9372dcc6fe0170b51cf1b293e2

  • SSDEEP

    3072:r701YAYMLuPz7KhO0uZmmhi7hX0eZq5Y:s1FIL7j0cmE80eZ

Score
10/10
tofseediscoverypersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Tofsee family
    tofsee
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86904bef92845b067a76d08ade4cc08b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\86904bef92845b067a76d08ade4cc08b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\glkneswx.exe
      "C:\Users\Admin\glkneswx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 468
          4⤵
          • Program crash
          PID:112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2116.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2248
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2476 -ip 2476
    1⤵
      PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2116.bat
      Filesize

      266B

      MD5

      767d045597bca45318ca1cc3d672c6a7

      SHA1

      cd952a0dca79f0225e61c26f2cbe8d50a0cb5484

      SHA256

      5d864c00dfd8f3c85d3453f13f40248ec32375310c665aa645ed200fcb1c5a02

      SHA512

      63d2c560261ce00b7cab32e234f23a27446fe65bd989dbd4737c9d51924bffef5b90307f5d155995b8e3f288281799385599e966677372807b08cc4ed3b92140

      Download Submit

    • C:\Users\Admin\glkneswx.exe
      Filesize

      40.7MB

      MD5

      68fc9d9f3b7c5d8d39a117e253822161

      SHA1

      9eb3736e57476b6cc27948bdd3a5c063ad500b45

      SHA256

      45b7a4e8fe4b85ce66ce9a75fa033f2ee43922591d4138da356442d1f94b93e7

      SHA512

      d79d45e365642e7c970b2d970c7e18287d9f8307e78225b097bee00f7c03d96b32b985f3d50c2c222442674eb2d223e270c889f165185d4959fc7e2dd4cfd378

      Download Submit

    • memory/2284-21-0x00000000753B0000-0x00000000754D0000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2284-6-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2284-15-0x00000000753B0000-0x00000000754D0000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2284-19-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2284-3-0x0000000002D30000-0x0000000002D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2284-2-0x0000000002D30000-0x0000000002D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2476-41-0x0000000003240000-0x0000000003241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2476-29-0x0000000000F70000-0x0000000000F82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2476-38-0x0000000000F70000-0x0000000000F82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2476-34-0x0000000000F70000-0x0000000000F82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2476-43-0x0000000000F70000-0x0000000000F82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2476-42-0x0000000000F70000-0x0000000000F82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2572-23-0x00000000753B0000-0x000000007550D000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2572-30-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2572-33-0x00000000753B0000-0x000000007550D000-memory.dmp

      Filesize

      1.4MB

      Download