Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-12-2024 03:30
General
-
Target
dfb88b02f63ed6cdab5e891ea96d0b33_JaffaCakes118.exe
-
Size
273KB
-
MD5
dfb88b02f63ed6cdab5e891ea96d0b33
-
SHA1
6fb1de517d54d48ac4e3b60256532c667be07b59
-
SHA256
69b07662024f000cf1fb480d083e4def873b45981f9c82d3230ce9a0265addc2
-
SHA512
608d8a9435c557ec4b2184104fff137b5f24180a0d61868f9ee8872fed1fde8c2741788b7761190e848764fa231d18c7fbd861f7dabd6e119513fa6401f3e922
-
SSDEEP
3072:ydC8qbyTR4lccnGEaORCLFWkA1uVi9XuP7+aCTUlW5BywfzEFFUyrhw4Xl:KgC4lcQ/luFcuc1ijHlsywfzgUyFw
Malware Config
Extracted
tofsee
91.218.38.245
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfb88b02f63ed6cdab5e891ea96d0b33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dfb88b02f63ed6cdab5e891ea96d0b33_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\goqi.exe"C:\Users\Admin\goqi.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2228.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD518354811289367ad8a5086848a3ae639
SHA15bdd2f994225dd7e5044e8dfc7ef36b0ef126e73
SHA2560b7284bbb7e894c7bf0a86ab16f24625cee48d99be304aae7baa488cdc8616d4
SHA51262158cafbd626627d1d2069d10049f347d41adb2d44a58dd88c9c0d49a3d9d5c64f3610e618e36ae079fea11b1f575390719a8966660795feaff69861451f7b2
-
Filesize
273KB
MD5dfb88b02f63ed6cdab5e891ea96d0b33
SHA16fb1de517d54d48ac4e3b60256532c667be07b59
SHA25669b07662024f000cf1fb480d083e4def873b45981f9c82d3230ce9a0265addc2
SHA512608d8a9435c557ec4b2184104fff137b5f24180a0d61868f9ee8872fed1fde8c2741788b7761190e848764fa231d18c7fbd861f7dabd6e119513fa6401f3e922
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB