tofsee | ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e

General

Target

ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
Size

13.2MB
MD5

3328e6fe99f8cfe5b8acbaab0cb50fd0
SHA1

fcd53cf0cf6b7dc3fb623908525082500cdddc17
SHA256

ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e
SHA512

2cb03e94d20b5a3d0c6c81d51ec8b00988b65b2c372b21ae561ab0df3331e2bbc9973bece7c527aad4b61c08b1f33b0954e0cce92fd9bbff74c6c98f574d15c6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

jdfcwsch.exe

pid process

1152 jdfcwsch.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2088 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jdfcwsch.exe

description pid process target process

PID 1152 set thread context of 2088 1152 jdfcwsch.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1152	jdfcwsch.exe

pid	process
2088	svchost.exe

description	pid	process	target process
PID 1152 set thread context of 2088	1152	jdfcwsch.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exejdfcwsch.exe

description	pid	process	target process
PID 624 wrote to memory of 3556	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	cmd.exe
PID 624 wrote to memory of 3556	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	cmd.exe
PID 624 wrote to memory of 3556	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	cmd.exe
PID 624 wrote to memory of 3528	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	cmd.exe
PID 624 wrote to memory of 3528	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	cmd.exe
PID 624 wrote to memory of 3528	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	cmd.exe
PID 624 wrote to memory of 4080	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 4080	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 4080	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 2888	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 2888	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 2888	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 2292	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 2292	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 2292	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	sc.exe
PID 624 wrote to memory of 3868	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	netsh.exe
PID 624 wrote to memory of 3868	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	netsh.exe
PID 624 wrote to memory of 3868	624	ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe	netsh.exe
PID 1152 wrote to memory of 2088	1152	jdfcwsch.exe	svchost.exe
PID 1152 wrote to memory of 2088	1152	jdfcwsch.exe	svchost.exe
PID 1152 wrote to memory of 2088	1152	jdfcwsch.exe	svchost.exe
PID 1152 wrote to memory of 2088	1152	jdfcwsch.exe	svchost.exe
PID 1152 wrote to memory of 2088	1152	jdfcwsch.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bjwlynow\
2⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jdfcwsch.exe" C:\Windows\SysWOW64\bjwlynow\
2⤵
PID:3528

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bjwlynow binPath= "C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exe /d\"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4080

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description bjwlynow "wifi internet conection"
2⤵
PID:2888

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bjwlynow
2⤵
PID:2292

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3868

C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exe
C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exe /d"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jdfcwsch.exe
MD5
66b820748b4083dc42e18c7d7aa29d3f

SHA1
ff4da078ec1da1e2012a8a488d5a56ff826c563f

SHA256
f1e6d8b6f70df431c5c656e455b537ab09c90e06286a06cdcfc6453abd200af4

SHA512
b72a0d05e3856badeaefcab96a534e4ab5d4949a189f4cae8604d1826f33fab8dda6109a4864fa165f9315f22933169c854c95081c2ba8c58d6b2bde5c653a20

Download Submit
C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exe
MD5
66b820748b4083dc42e18c7d7aa29d3f

SHA1
ff4da078ec1da1e2012a8a488d5a56ff826c563f

SHA256
f1e6d8b6f70df431c5c656e455b537ab09c90e06286a06cdcfc6453abd200af4

SHA512
b72a0d05e3856badeaefcab96a534e4ab5d4949a189f4cae8604d1826f33fab8dda6109a4864fa165f9315f22933169c854c95081c2ba8c58d6b2bde5c653a20

Download Submit
memory/624-115-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/624-116-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/624-114-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1152-130-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1152-131-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1152-125-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2088-126-0x00000000023E0000-0x00000000023F5000-memory.dmp

Filesize
84KB

Download
memory/2088-127-0x00000000023E9A6B-mapping.dmp

Download
memory/2292-122-0x0000000000000000-mapping.dmp

Download
memory/2888-121-0x0000000000000000-mapping.dmp

Download
memory/3528-118-0x0000000000000000-mapping.dmp

Download
memory/3556-117-0x0000000000000000-mapping.dmp

Download
memory/3868-123-0x0000000000000000-mapping.dmp

Download
memory/4080-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing