tofsee | c9257bdfd441859a65cd3d72b1f18d25f877c76d89b1402927326bf37f9f57ea

General

Target

0ba67a86a3e1555aeeaed68564e7d57b.exe
Size

12.1MB
MD5

0ba67a86a3e1555aeeaed68564e7d57b
SHA1

f1765a0967b190834da6364e6831fab65a9b730c
SHA256

c9257bdfd441859a65cd3d72b1f18d25f877c76d89b1402927326bf37f9f57ea
SHA512

9abf7f9cf07ae4a2baf8adf08449aa359b1756a8cc63cda8165926f72357a7a936e2526b46bb71a1cfe548ee8f5c48002c1eef41272f8ad6442aecd10bbfa21f

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

ygzpurjt.exe

pid process

952 ygzpurjt.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

560 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ygzpurjt.exe

description pid process target process

PID 952 set thread context of 560 952 ygzpurjt.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
952	ygzpurjt.exe

pid	process
560	svchost.exe

description	pid	process	target process
PID 952 set thread context of 560	952	ygzpurjt.exe	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

0ba67a86a3e1555aeeaed68564e7d57b.exeygzpurjt.exe

description	pid	process	target process
PID 1636 wrote to memory of 1292	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1292	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1292	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1292	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1700	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1700	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1700	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1700	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1636 wrote to memory of 1620	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1620	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1620	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1620	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1020	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1020	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1020	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 1020	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 268	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 268	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 268	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1636 wrote to memory of 268	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 952 wrote to memory of 560	952	ygzpurjt.exe	svchost.exe
PID 952 wrote to memory of 560	952	ygzpurjt.exe	svchost.exe
PID 952 wrote to memory of 560	952	ygzpurjt.exe	svchost.exe
PID 952 wrote to memory of 560	952	ygzpurjt.exe	svchost.exe
PID 952 wrote to memory of 560	952	ygzpurjt.exe	svchost.exe
PID 952 wrote to memory of 560	952	ygzpurjt.exe	svchost.exe
PID 1636 wrote to memory of 524	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe
PID 1636 wrote to memory of 524	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe
PID 1636 wrote to memory of 524	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe
PID 1636 wrote to memory of 524	1636	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe
"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jaeuvqua\
2⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ygzpurjt.exe" C:\Windows\SysWOW64\jaeuvqua\
2⤵
PID:1700

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jaeuvqua binPath= "C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exe /d\"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1620

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jaeuvqua "wifi internet conection"
2⤵
PID:1020

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jaeuvqua
2⤵
PID:268

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:524

C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exe
C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exe /d"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ygzpurjt.exe
MD5
c4850f8b891b019aa3c590ae7c063d52

SHA1
c25ac5dc79bd5f1e9aa4f04057f8095784c1400d

SHA256
11da028625e23418e1e83eaa351e9015a7cae36ac482f6b48c6ff677a831a45f

SHA512
9bcf1e58aa02a47968cc00f89b27790d8bc9ac01f2910b70ad4a8ddf7fe7856cb020294cf28eeb1e5a9cf420c09a92d25434b1e0ceb1940884f107af66e13795

Download Submit
C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exe
MD5
c4850f8b891b019aa3c590ae7c063d52

SHA1
c25ac5dc79bd5f1e9aa4f04057f8095784c1400d

SHA256
11da028625e23418e1e83eaa351e9015a7cae36ac482f6b48c6ff677a831a45f

SHA512
9bcf1e58aa02a47968cc00f89b27790d8bc9ac01f2910b70ad4a8ddf7fe7856cb020294cf28eeb1e5a9cf420c09a92d25434b1e0ceb1940884f107af66e13795

Download Submit
memory/268-7-0x0000000000000000-mapping.dmp

Download
memory/524-12-0x0000000000000000-mapping.dmp

Download
memory/560-10-0x0000000000089A6B-mapping.dmp

Download
memory/560-9-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1020-6-0x0000000000000000-mapping.dmp

Download
memory/1292-2-0x0000000000000000-mapping.dmp

Download
memory/1620-5-0x0000000000000000-mapping.dmp

Download
memory/1700-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing