tofsee | 27e3ed0b63c7aaf1cdef8ff971fdf5c60fbf4507ef55343096f94ff6feb5f516

General

Target

0a0dd74c400e848fcf84d1217695746f.exe
Size

313KB
MD5

0a0dd74c400e848fcf84d1217695746f
SHA1

87a35d0bceabe086f8bfb0b286dd678a9c93d35a
SHA256

27e3ed0b63c7aaf1cdef8ff971fdf5c60fbf4507ef55343096f94ff6feb5f516
SHA512

4bb6df5908a505f5d2a1871f86db31ec7883bf4cecd25ad5fcf4c3f7410fbede7487b12dad1e8442b83953510aad074ba04a89f067620c07d0acc89f1973454b
SSDEEP

3072:8pXIEUbI/4pLTdJdBaLh6MbISGRiKT87mk/PGXZuZQ2y5gW5cF3PF1YWUqqT:MNU8ApLTd7BcpbIRR1sjFqpSdtS7

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

212 netsh.exe

pid	process
212	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rkfglilm\ImagePath = "C:\\Windows\\SysWOW64\\rkfglilm\\cfyjjstt.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a0dd74c400e848fcf84d1217695746f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	0a0dd74c400e848fcf84d1217695746f.exe

Executes dropped EXE 1 IoCs

Processes:

cfyjjstt.exe

pid process

208 cfyjjstt.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cfyjjstt.exe

description pid process target process

PID 208 set thread context of 992 208 cfyjjstt.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

552 sc.exe
1892 sc.exe
3544 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3800 4240 WerFault.exe 0a0dd74c400e848fcf84d1217695746f.exe
2676 208 WerFault.exe cfyjjstt.exe

pid	process
208	cfyjjstt.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 208 set thread context of 992	208	cfyjjstt.exe	svchost.exe

pid	process
552	sc.exe
1892	sc.exe
3544	sc.exe

pid	pid_target	process	target process
3800	4240	WerFault.exe	0a0dd74c400e848fcf84d1217695746f.exe
2676	208	WerFault.exe	cfyjjstt.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 4cbd173cac85460124edb47d450dd49d084297dce82e72baa4c0558a9a0b821d7149db1586cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da86457035eda9644490bdb57b22ed925401cac4e53d428dc9740f34ffa56c1ddd824b700db8f2054991cfdb2470dd906d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d491cc78cb37b26e4935401fda8e2377c88f2005469a8946c11d8834f7c38e4ae562d109da54cbc95763134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d5f88667e51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74d805cd94	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0a0dd74c400e848fcf84d1217695746f.execfyjjstt.exe

description	pid	process	target process
PID 4240 wrote to memory of 4716	4240	0a0dd74c400e848fcf84d1217695746f.exe	cmd.exe
PID 4240 wrote to memory of 4716	4240	0a0dd74c400e848fcf84d1217695746f.exe	cmd.exe
PID 4240 wrote to memory of 4716	4240	0a0dd74c400e848fcf84d1217695746f.exe	cmd.exe
PID 4240 wrote to memory of 1800	4240	0a0dd74c400e848fcf84d1217695746f.exe	cmd.exe
PID 4240 wrote to memory of 1800	4240	0a0dd74c400e848fcf84d1217695746f.exe	cmd.exe
PID 4240 wrote to memory of 1800	4240	0a0dd74c400e848fcf84d1217695746f.exe	cmd.exe
PID 4240 wrote to memory of 1892	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 1892	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 1892	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 3544	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 3544	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 3544	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 552	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 552	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 552	4240	0a0dd74c400e848fcf84d1217695746f.exe	sc.exe
PID 4240 wrote to memory of 212	4240	0a0dd74c400e848fcf84d1217695746f.exe	netsh.exe
PID 4240 wrote to memory of 212	4240	0a0dd74c400e848fcf84d1217695746f.exe	netsh.exe
PID 4240 wrote to memory of 212	4240	0a0dd74c400e848fcf84d1217695746f.exe	netsh.exe
PID 208 wrote to memory of 992	208	cfyjjstt.exe	svchost.exe
PID 208 wrote to memory of 992	208	cfyjjstt.exe	svchost.exe
PID 208 wrote to memory of 992	208	cfyjjstt.exe	svchost.exe
PID 208 wrote to memory of 992	208	cfyjjstt.exe	svchost.exe
PID 208 wrote to memory of 992	208	cfyjjstt.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe
"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rkfglilm\
2⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfyjjstt.exe" C:\Windows\SysWOW64\rkfglilm\
2⤵
PID:1800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rkfglilm binPath= "C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exe /d\"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1892

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rkfglilm "wifi internet conection"
2⤵
- Launches sc.exe
PID:3544

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rkfglilm
2⤵
- Launches sc.exe
PID:552

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1040
2⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exe
C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exe /d"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 516
2⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4240 -ip 4240
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 208 -ip 208
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cfyjjstt.exe
Filesize
13.9MB

MD5
866da9719f0a5abbd82964de768713b8

SHA1
7d4ab2b4d5be34b529d8b23dfbb759c689d99ce6

SHA256
7b5b27a5fbef8fc8c265816ae7913b1477550b71ffdb2a3715874ac7799ae66b

SHA512
ff367c1d0bfa44233d4408f30ff49d80b0099b80ef791a805601709edc3ce8ed1812e951b6811c0276187fc938f7016fa5b01cc296242b2b5ed8effc90447b1a

Download Submit
C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exe
Filesize
13.9MB

MD5
866da9719f0a5abbd82964de768713b8

SHA1
7d4ab2b4d5be34b529d8b23dfbb759c689d99ce6

SHA256
7b5b27a5fbef8fc8c265816ae7913b1477550b71ffdb2a3715874ac7799ae66b

SHA512
ff367c1d0bfa44233d4408f30ff49d80b0099b80ef791a805601709edc3ce8ed1812e951b6811c0276187fc938f7016fa5b01cc296242b2b5ed8effc90447b1a

Download Submit
memory/208-144-0x0000000000400000-0x00000000006E9000-memory.dmp

Filesize
2.9MB

Download
memory/992-140-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/992-143-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/992-145-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/992-146-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/992-147-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/4240-134-0x00000000008A0000-0x00000000008B3000-memory.dmp

Filesize
76KB

Download
memory/4240-139-0x0000000000400000-0x00000000006E9000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads