tofsee | 19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580

General

Target

cf08ecb08edbc52e65c8f40215d1e631.exe
Size

235KB
MD5

cf08ecb08edbc52e65c8f40215d1e631
SHA1

1de7abbfa87a31b694ee92413c83f7a22a55c2f8
SHA256

19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580
SHA512

2044e021e7d8eed05ca30205eefd65a586fb23c7eb73bd7b5848895ebc49ebe869d103e935c70564ecb0e573bc22cd0d017501934f781254b1bc40b0888327f4
SSDEEP

3072:uXj1yteXDZ65fyY4RxozmJXEoVyROKipzmmpARedR5TPx2qc:2lI6Cz1oAABfARedf0

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1292 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

elkxffnr.exeelkxffnr.exe

pid process

540 elkxffnr.exe
1092 elkxffnr.exe

pid	process
1292	netsh.exe

pid	process
540	elkxffnr.exe
1092	elkxffnr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cf08ecb08edbc52e65c8f40215d1e631.exeelkxffnr.exe

description	pid	process	target process
PID 2040 set thread context of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 540 set thread context of 1092	540	elkxffnr.exe	elkxffnr.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

748 sc.exe
320 sc.exe
1484 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
748	sc.exe
320	sc.exe
1484	sc.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cf08ecb08edbc52e65c8f40215d1e631.execf08ecb08edbc52e65c8f40215d1e631.exeelkxffnr.exe

description	pid	process	target process
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 2040 wrote to memory of 1740	2040	cf08ecb08edbc52e65c8f40215d1e631.exe	cf08ecb08edbc52e65c8f40215d1e631.exe
PID 1740 wrote to memory of 1972	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 1972	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 1972	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 1972	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 976	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 976	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 976	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 976	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	cmd.exe
PID 1740 wrote to memory of 748	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 748	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 748	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 748	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 320	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 320	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 320	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 320	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 1484	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 1484	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 1484	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 1740 wrote to memory of 1484	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	sc.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 540 wrote to memory of 1092	540	elkxffnr.exe	elkxffnr.exe
PID 1740 wrote to memory of 1292	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	netsh.exe
PID 1740 wrote to memory of 1292	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	netsh.exe
PID 1740 wrote to memory of 1292	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	netsh.exe
PID 1740 wrote to memory of 1292	1740	cf08ecb08edbc52e65c8f40215d1e631.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe
"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe
"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sqvlaoim\
3⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\elkxffnr.exe" C:\Windows\SysWOW64\sqvlaoim\
3⤵
PID:976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create sqvlaoim binPath= "C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe /d\"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:748

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description sqvlaoim "wifi internet conection"
3⤵
- Launches sc.exe
PID:320

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sqvlaoim
3⤵
- Launches sc.exe
PID:1484

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:1292

C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe
C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe /d"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe
C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe /d"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
2⤵
- Executes dropped EXE
PID:1092

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\elkxffnr.exe
Filesize
13.0MB

MD5
69400c84b7d45b31519cf4208aaa5fe5

SHA1
44239c9c0264b5334b366f0a1bdfefb1244bbd83

SHA256
bfb2fa262b6f809712f3362a62e08353ad80bc6c86def860a54d373cb31701c3

SHA512
82a7e1f43d69d00a00bf7a27d29d621dfd2ccdb0f1b788f2064663b9d2267442a1a52b48d217fe86bba0c9c034165b022dc13cc3c7381a65e7896af1d155d1bd

Download Submit
C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe
Filesize
13.0MB

MD5
69400c84b7d45b31519cf4208aaa5fe5

SHA1
44239c9c0264b5334b366f0a1bdfefb1244bbd83

SHA256
bfb2fa262b6f809712f3362a62e08353ad80bc6c86def860a54d373cb31701c3

SHA512
82a7e1f43d69d00a00bf7a27d29d621dfd2ccdb0f1b788f2064663b9d2267442a1a52b48d217fe86bba0c9c034165b022dc13cc3c7381a65e7896af1d155d1bd

Download Submit
C:\Windows\SysWOW64\sqvlaoim\elkxffnr.exe
Filesize
13.0MB

MD5
69400c84b7d45b31519cf4208aaa5fe5

SHA1
44239c9c0264b5334b366f0a1bdfefb1244bbd83

SHA256
bfb2fa262b6f809712f3362a62e08353ad80bc6c86def860a54d373cb31701c3

SHA512
82a7e1f43d69d00a00bf7a27d29d621dfd2ccdb0f1b788f2064663b9d2267442a1a52b48d217fe86bba0c9c034165b022dc13cc3c7381a65e7896af1d155d1bd

Download Submit
memory/1092-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1092-70-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1740-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1740-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1740-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1740-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2040-58-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing