Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe
-
Size
238KB
-
MD5
7ac48fea930450a7921154d8fce9af73
-
SHA1
7d5d237614902b12e9284a268cfec555ddce2c91
-
SHA256
71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020
-
SHA512
2aeba3519f28465b0b771e60f8dd786d37fb556810d92f0a15f38990aa597d24d7b93a0ad87e6cb700a84f2d587e369f94d016b788d570ee689ffce2ae4bca50
-
SSDEEP
6144:9X2ED6j2XfHNWY2CAhgfzoup0x17ITsq7igavwVf:9X246iXQzbGfcupk79
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Signatures
-
Tofsee family
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5108 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\khudiew\ImagePath = "C:\\Windows\\SysWOW64\\khudiew\\apuvpxat.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe -
Deletes itself 1 IoCs
pid Process 4084 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2632 apuvpxat.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2632 set thread context of 4084 2632 apuvpxat.exe 100 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 816 sc.exe 3700 sc.exe 2428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3648 3028 WerFault.exe 83 1632 2632 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apuvpxat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2420 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 84 PID 3028 wrote to memory of 2420 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 84 PID 3028 wrote to memory of 2420 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 84 PID 3028 wrote to memory of 1084 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 86 PID 3028 wrote to memory of 1084 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 86 PID 3028 wrote to memory of 1084 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 86 PID 3028 wrote to memory of 816 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 88 PID 3028 wrote to memory of 816 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 88 PID 3028 wrote to memory of 816 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 88 PID 3028 wrote to memory of 3700 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 90 PID 3028 wrote to memory of 3700 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 90 PID 3028 wrote to memory of 3700 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 90 PID 3028 wrote to memory of 2428 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 92 PID 3028 wrote to memory of 2428 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 92 PID 3028 wrote to memory of 2428 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 92 PID 3028 wrote to memory of 5108 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 95 PID 3028 wrote to memory of 5108 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 95 PID 3028 wrote to memory of 5108 3028 JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe 95 PID 2632 wrote to memory of 4084 2632 apuvpxat.exe 100 PID 2632 wrote to memory of 4084 2632 apuvpxat.exe 100 PID 2632 wrote to memory of 4084 2632 apuvpxat.exe 100 PID 2632 wrote to memory of 4084 2632 apuvpxat.exe 100 PID 2632 wrote to memory of 4084 2632 apuvpxat.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\khudiew\2⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\apuvpxat.exe" C:\Windows\SysWOW64\khudiew\2⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create khudiew binPath= "C:\Windows\SysWOW64\khudiew\apuvpxat.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:816
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description khudiew "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3700
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start khudiew2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 10962⤵
- Program crash
PID:3648
-
-
C:\Windows\SysWOW64\khudiew\apuvpxat.exeC:\Windows\SysWOW64\khudiew\apuvpxat.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 5522⤵
- Program crash
PID:1632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3028 -ip 30281⤵PID:4600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2632 -ip 26321⤵PID:2404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.6MB
MD551ba1e2ad93535683968794465f859b6
SHA1dc749dc086588505cff32d8e91e95509d38bcd36
SHA256f3bf97b4eac9963e9f5bd4f4031abebebe404e146dd9d6c736880be9d0a7c4ed
SHA5122e30573427804212cb0a822a125be96b8ea273aa728860fd0af27be4e77c53772374d36b71b712357d0c8eb585565eec4a5a7084bcc26326a0c2a5b534ef1aab