Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-01-2025 19:52
General
-
Target
JaffaCakes118_6f27190edb3775f165617d13e32e3e90.exe
-
Size
117KB
-
MD5
6f27190edb3775f165617d13e32e3e90
-
SHA1
66bc0f60853a9b20ee761c09ae6f5af5a480b8ec
-
SHA256
b24a82191df95eaffd79dc0e4f7eac91c48cb7e37ade114c29218aef038ee6e3
-
SHA512
9ad1671828a155b7a9af9f7796cb4b632bb9249849107ac109ff778e99e232687b2b5f41f26e8f5811783632e11bdaa1e237b22fcd824315f915128e0c9664b2
-
SSDEEP
1536:MKxS+iac/mX84H4VG6AO4kRd+3j6VPvTW1YLakyPzk0O64Y3V:MZ+iZ/mX8UaG6SF3+VnpakyPzkXu
Malware Config
Extracted
tofsee
94.242.250.149
91.218.38.245
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f27190edb3775f165617d13e32e3e90.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f27190edb3775f165617d13e32e3e90.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ansfkxqy.exe"C:\Users\Admin\ansfkxqy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 3564⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0634.bat" "2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1292 -ip 12921⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD5704f84c3bc24181fa20e286125b38fc6
SHA16769cbb2b26e93c8acb4af7749f7feb3da003a0d
SHA2567e48caee06c2b897ef8375cdb98d88eabe5520ac4ccf862af54f51db647d7097
SHA51261d2551a1dc448d53b69b99c91f0b3c0e6bc636d0dfa0d5b3252b07bb9460ddc300f406450ba1a786ea88e9aa6a06111627a22c42e1d543d17058cc3e70485b9
-
Filesize
33.9MB
MD53f25cf557177ef3292ba85f5b49d2053
SHA13d59cfd7b95d20dbb0ed38e366a1f8d9db9beb6d
SHA2569e64c887e21a9fac85c08548506a0342a7abce963989a4d25a10d9456a0afb36
SHA512423501b617aa901b5fb98107354e3476beb35d89000609bebb5dfb34e9e6075d56b9a47035e7269986d9f9cd06a365f646a8804ae5fcc57f45548f87d1e1f7c9
-
Filesize
72KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
204KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB