tofsee | 245e3a7893140eb584a482391e4bf44031e0aa882b5283ddb1cee3a6bea831fb

General

Target

975b103bb2faa02e4368756b70c3ed53.exe
Size

10.1MB
MD5

975b103bb2faa02e4368756b70c3ed53
SHA1

264da78af05d33710ae7132a91371dbbb1726a03
SHA256

245e3a7893140eb584a482391e4bf44031e0aa882b5283ddb1cee3a6bea831fb
SHA512

a6bbd13ea2c8d5c86196420e65d1ae9dbeb74e9f9735ffe1f4c90f48a4f09fd6e9880fdba36ff7b968c39f5f0714ebe26dd20759885cc11af77e361cc8653fe1
SSDEEP

196608:E888888888888888888888888888888888888888888888888888888888888888:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3020	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jpkktymc\ImagePath = "C:\\Windows\\SysWOW64\\jpkktymc\\ovywxxnb.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	975b103bb2faa02e4368756b70c3ed53.exe

Deletes itself 1 IoCs

pid	Process
2216	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3172	ovywxxnb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3172 set thread context of 2216	3172	ovywxxnb.exe	112

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4448	sc.exe
4616	sc.exe
4392	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4988	4000	WerFault.exe	89
2672	3172	WerFault.exe	104

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 5008	4000	975b103bb2faa02e4368756b70c3ed53.exe	93
PID 4000 wrote to memory of 5008	4000	975b103bb2faa02e4368756b70c3ed53.exe	93
PID 4000 wrote to memory of 5008	4000	975b103bb2faa02e4368756b70c3ed53.exe	93
PID 4000 wrote to memory of 4520	4000	975b103bb2faa02e4368756b70c3ed53.exe	96
PID 4000 wrote to memory of 4520	4000	975b103bb2faa02e4368756b70c3ed53.exe	96
PID 4000 wrote to memory of 4520	4000	975b103bb2faa02e4368756b70c3ed53.exe	96
PID 4000 wrote to memory of 4392	4000	975b103bb2faa02e4368756b70c3ed53.exe	97
PID 4000 wrote to memory of 4392	4000	975b103bb2faa02e4368756b70c3ed53.exe	97
PID 4000 wrote to memory of 4392	4000	975b103bb2faa02e4368756b70c3ed53.exe	97
PID 4000 wrote to memory of 4448	4000	975b103bb2faa02e4368756b70c3ed53.exe	100
PID 4000 wrote to memory of 4448	4000	975b103bb2faa02e4368756b70c3ed53.exe	100
PID 4000 wrote to memory of 4448	4000	975b103bb2faa02e4368756b70c3ed53.exe	100
PID 4000 wrote to memory of 4616	4000	975b103bb2faa02e4368756b70c3ed53.exe	103
PID 4000 wrote to memory of 4616	4000	975b103bb2faa02e4368756b70c3ed53.exe	103
PID 4000 wrote to memory of 4616	4000	975b103bb2faa02e4368756b70c3ed53.exe	103
PID 3172 wrote to memory of 2216	3172	ovywxxnb.exe	112
PID 3172 wrote to memory of 2216	3172	ovywxxnb.exe	112
PID 3172 wrote to memory of 2216	3172	ovywxxnb.exe	112
PID 3172 wrote to memory of 2216	3172	ovywxxnb.exe	112
PID 3172 wrote to memory of 2216	3172	ovywxxnb.exe	112
PID 4000 wrote to memory of 3020	4000	975b103bb2faa02e4368756b70c3ed53.exe	111
PID 4000 wrote to memory of 3020	4000	975b103bb2faa02e4368756b70c3ed53.exe	111
PID 4000 wrote to memory of 3020	4000	975b103bb2faa02e4368756b70c3ed53.exe	111

C:\Users\Admin\AppData\Local\Temp\975b103bb2faa02e4368756b70c3ed53.exe
"C:\Users\Admin\AppData\Local\Temp\975b103bb2faa02e4368756b70c3ed53.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jpkktymc\
  2⤵
  PID:5008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ovywxxnb.exe" C:\Windows\SysWOW64\jpkktymc\
  2⤵
  PID:4520
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create jpkktymc binPath= "C:\Windows\SysWOW64\jpkktymc\ovywxxnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\975b103bb2faa02e4368756b70c3ed53.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4392
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description jpkktymc "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4448
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start jpkktymc
  2⤵
  - Launches sc.exe
  PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 596
  2⤵
  - Program crash
  PID:4988
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3020

C:\Windows\SysWOW64\jpkktymc\ovywxxnb.exe
C:\Windows\SysWOW64\jpkktymc\ovywxxnb.exe /d"C:\Users\Admin\AppData\Local\Temp\975b103bb2faa02e4368756b70c3ed53.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 512
  2⤵
  - Program crash
  PID:2672
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3172 -ip 3172
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4000 -ip 4000
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ovywxxnb.exe

Filesize
1.3MB

MD5
8d2405548872f26e5085bd83f0750666

SHA1
d94539133296e6bc015100ebe0fdb1ff6e95ca09

SHA256
05a6bb26d7f75b8cff6f558cf9e882f46256a807731a8a591cc8e09c15a2d4dc

SHA512
30ccb13b50e440e2e420a0f4f59738e72bc9558241c316ca37541ea754174535a58fcc0a558749b4e12b4c3c628544349bf1a1e82ffcc1cb6cf31e6499c01f17

Download Submit
C:\Windows\SysWOW64\jpkktymc\ovywxxnb.exe

Filesize
316KB

MD5
fc52440294717ebbc704704ac7c30b3c

SHA1
93e69c2a7ab9970459071e975ef9e3c2229c192d

SHA256
512d012b751beeba2491c660bdcecf13df4593926ae01585777bde97c96af5d3

SHA512
0e90c616f8da75275aa2e6b7149465e5a06bb56d20478dd4574a2a3a25762189570c22de08c929394c27d507f6df422171753ec61a14e1b5408c10845780336e

Download Submit
memory/2216-16-0x0000000000C10000-0x0000000000C25000-memory.dmp

Filesize
84KB

Download
memory/2216-9-0x0000000000C10000-0x0000000000C25000-memory.dmp

Filesize
84KB

Download
memory/2216-18-0x0000000000C10000-0x0000000000C25000-memory.dmp

Filesize
84KB

Download
memory/2216-17-0x0000000000C10000-0x0000000000C25000-memory.dmp

Filesize
84KB

Download
memory/2216-19-0x0000000000C10000-0x0000000000C25000-memory.dmp

Filesize
84KB

Download
memory/3172-8-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/3172-10-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/3172-14-0x0000000000400000-0x0000000002159000-memory.dmp

Filesize
29.3MB

Download
memory/3172-13-0x0000000000400000-0x0000000002159000-memory.dmp

Filesize
29.3MB

Download
memory/4000-4-0x0000000000400000-0x0000000002159000-memory.dmp

Filesize
29.3MB

Download
memory/4000-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4000-1-0x0000000002370000-0x0000000002470000-memory.dmp

Filesize
1024KB

Download
memory/4000-15-0x0000000000400000-0x0000000002159000-memory.dmp

Filesize
29.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads