Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 14:34

General

  • Target

    JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe

  • Size

    238KB

  • MD5

    7ac48fea930450a7921154d8fce9af73

  • SHA1

    7d5d237614902b12e9284a268cfec555ddce2c91

  • SHA256

    71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020

  • SHA512

    2aeba3519f28465b0b771e60f8dd786d37fb556810d92f0a15f38990aa597d24d7b93a0ad87e6cb700a84f2d587e369f94d016b788d570ee689ffce2ae4bca50

  • SSDEEP

    6144:9X2ED6j2XfHNWY2CAhgfzoup0x17ITsq7igavwVf:9X246iXQzbGfcupk79

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Tofsee family
  • Creates new service(s) 2 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\khudiew\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\apuvpxat.exe" C:\Windows\SysWOW64\khudiew\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1084
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create khudiew binPath= "C:\Windows\SysWOW64\khudiew\apuvpxat.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe\"" type= own start= auto DisplayName= "wifi support"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:816
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description khudiew "wifi internet conection"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3700
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start khudiew
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2428
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:5108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1096
      2⤵
      • Program crash
      PID:3648
  • C:\Windows\SysWOW64\khudiew\apuvpxat.exe
    C:\Windows\SysWOW64\khudiew\apuvpxat.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71aac11a291af42dfe2de42ae6523b9c1c8a08d1335d4e41ff37a8c2a3f5a020.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Sets service image path in registry
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:4084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 552
      2⤵
      • Program crash
      PID:1632
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3028 -ip 3028
    1⤵
      PID:4600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2632 -ip 2632
      1⤵
        PID:2404

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\apuvpxat.exe

        Filesize

        12.6MB

        MD5

        51ba1e2ad93535683968794465f859b6

        SHA1

        dc749dc086588505cff32d8e91e95509d38bcd36

        SHA256

        f3bf97b4eac9963e9f5bd4f4031abebebe404e146dd9d6c736880be9d0a7c4ed

        SHA512

        2e30573427804212cb0a822a125be96b8ea273aa728860fd0af27be4e77c53772374d36b71b712357d0c8eb585565eec4a5a7084bcc26326a0c2a5b534ef1aab

      • memory/2632-11-0x0000000000400000-0x0000000000445000-memory.dmp

        Filesize

        276KB

      • memory/2632-10-0x0000000000400000-0x0000000000445000-memory.dmp

        Filesize

        276KB

      • memory/2632-17-0x0000000000400000-0x0000000000445000-memory.dmp

        Filesize

        276KB

      • memory/3028-2-0x0000000000400000-0x0000000000415000-memory.dmp

        Filesize

        84KB

      • memory/3028-1-0x00000000021A0000-0x00000000021B3000-memory.dmp

        Filesize

        76KB

      • memory/3028-9-0x0000000000400000-0x0000000000415000-memory.dmp

        Filesize

        84KB

      • memory/3028-8-0x00000000021A0000-0x00000000021B3000-memory.dmp

        Filesize

        76KB

      • memory/3028-7-0x0000000002190000-0x000000000219D000-memory.dmp

        Filesize

        52KB

      • memory/3028-6-0x0000000000400000-0x0000000000445000-memory.dmp

        Filesize

        276KB

      • memory/3028-0-0x0000000002190000-0x000000000219D000-memory.dmp

        Filesize

        52KB

      • memory/4084-12-0x0000000000500000-0x0000000000515000-memory.dmp

        Filesize

        84KB

      • memory/4084-14-0x0000000000500000-0x0000000000515000-memory.dmp

        Filesize

        84KB

      • memory/4084-15-0x0000000000500000-0x0000000000515000-memory.dmp

        Filesize

        84KB