Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 16:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe
-
Size
210KB
-
MD5
29405d13a965b33a9d00604f1f33f796
-
SHA1
2534e39a8b8dc5a81a5f7863d0d5a2c3db342194
-
SHA256
999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d
-
SHA512
f62e13a60316c0a28394255d7479d756150c3d3771dbfc79b69350f7a1692aab5967d029488d6d2e687e38d02dcf6abf5f0e582f7148b940504e8b36f50251bf
-
SSDEEP
3072:B7o+8bY15UTpVVU7JI7eSSIZ5Rk06UCOt6Wrxpzbgqru2sxkgaBChn:GDE15UTW7cS45cU76uzbgwujiga
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Signatures
-
Tofsee family
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1604 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wqedlky\ImagePath = "C:\\Windows\\SysWOW64\\wqedlky\\qjxjbvxk.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe -
Deletes itself 1 IoCs
pid Process 1968 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3212 qjxjbvxk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3212 set thread context of 1968 3212 qjxjbvxk.exe 98 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 860 sc.exe 4844 sc.exe 2176 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1720 1820 WerFault.exe 81 2616 3212 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjxjbvxk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1820 wrote to memory of 3664 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 82 PID 1820 wrote to memory of 3664 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 82 PID 1820 wrote to memory of 3664 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 82 PID 1820 wrote to memory of 4848 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 84 PID 1820 wrote to memory of 4848 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 84 PID 1820 wrote to memory of 4848 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 84 PID 1820 wrote to memory of 860 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 86 PID 1820 wrote to memory of 860 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 86 PID 1820 wrote to memory of 860 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 86 PID 1820 wrote to memory of 4844 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 88 PID 1820 wrote to memory of 4844 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 88 PID 1820 wrote to memory of 4844 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 88 PID 1820 wrote to memory of 2176 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 90 PID 1820 wrote to memory of 2176 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 90 PID 1820 wrote to memory of 2176 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 90 PID 1820 wrote to memory of 1604 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 93 PID 1820 wrote to memory of 1604 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 93 PID 1820 wrote to memory of 1604 1820 JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe 93 PID 3212 wrote to memory of 1968 3212 qjxjbvxk.exe 98 PID 3212 wrote to memory of 1968 3212 qjxjbvxk.exe 98 PID 3212 wrote to memory of 1968 3212 qjxjbvxk.exe 98 PID 3212 wrote to memory of 1968 3212 qjxjbvxk.exe 98 PID 3212 wrote to memory of 1968 3212 qjxjbvxk.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wqedlky\2⤵
- System Location Discovery: System Language Discovery
PID:3664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qjxjbvxk.exe" C:\Windows\SysWOW64\wqedlky\2⤵
- System Location Discovery: System Language Discovery
PID:4848
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wqedlky binPath= "C:\Windows\SysWOW64\wqedlky\qjxjbvxk.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:860
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wqedlky "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4844
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wqedlky2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 6562⤵
- Program crash
PID:1720
-
-
C:\Windows\SysWOW64\wqedlky\qjxjbvxk.exeC:\Windows\SysWOW64\wqedlky\qjxjbvxk.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_999810effa8e1b6403ed675a4fe4b8dac3fc79bf3ae7f3dbf538c7126fd62f4d.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 5122⤵
- Program crash
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1820 -ip 18201⤵PID:4316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3212 -ip 32121⤵PID:2232
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.4MB
MD5a5a9b0dee1d5605516011940e3f116de
SHA1f6c6d435f5158c0b7d094936d3b4075b833d55c4
SHA2563dcf09a0375b03481bf0e1e27cfaf754f343f06d5e3591cdac1d23e813e84849
SHA5120f9db60bd8f3561749121c8b8ea3c6ff33e22faf8887d8cdbd69746ed51f28ebf734dc7104dcdc8047033e3ed8f769825d82e73818d12ee8012efda1a9813a7d