tofsee | 6080de44c1cef6654c06340ef242d9b7526563205b3c3d48ee761b2c88191e15

General

Target

764f182af0c6ddc192250baa4a4464a0.exe
Size

10.3MB
MD5

764f182af0c6ddc192250baa4a4464a0
SHA1

29168a577f423556cad9315ca0095764015182ad
SHA256

6080de44c1cef6654c06340ef242d9b7526563205b3c3d48ee761b2c88191e15
SHA512

bdd6adbb881a3a305cc0fd56e3d7bb96d1798c4ac8f72684058cff1d2e64e1ff7693a4e9c417cbbe870d96ea2d9a2e4d67ad000d7a3b2aca3c855d01c7fd4197
SSDEEP

98304:Db+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S:D

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1184	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jncdesvw\ImagePath = "C:\\Windows\\SysWOW64\\jncdesvw\\dpkhonnb.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	764f182af0c6ddc192250baa4a4464a0.exe

Deletes itself 1 IoCs

pid	Process
1904	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4576	dpkhonnb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 1904	4576	dpkhonnb.exe	103

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2488	sc.exe
4384	sc.exe
4572	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3320	2276	764f182af0c6ddc192250baa4a4464a0.exe	89
PID 2276 wrote to memory of 3320	2276	764f182af0c6ddc192250baa4a4464a0.exe	89
PID 2276 wrote to memory of 3320	2276	764f182af0c6ddc192250baa4a4464a0.exe	89
PID 2276 wrote to memory of 5036	2276	764f182af0c6ddc192250baa4a4464a0.exe	91
PID 2276 wrote to memory of 5036	2276	764f182af0c6ddc192250baa4a4464a0.exe	91
PID 2276 wrote to memory of 5036	2276	764f182af0c6ddc192250baa4a4464a0.exe	91
PID 2276 wrote to memory of 2488	2276	764f182af0c6ddc192250baa4a4464a0.exe	93
PID 2276 wrote to memory of 2488	2276	764f182af0c6ddc192250baa4a4464a0.exe	93
PID 2276 wrote to memory of 2488	2276	764f182af0c6ddc192250baa4a4464a0.exe	93
PID 2276 wrote to memory of 4384	2276	764f182af0c6ddc192250baa4a4464a0.exe	95
PID 2276 wrote to memory of 4384	2276	764f182af0c6ddc192250baa4a4464a0.exe	95
PID 2276 wrote to memory of 4384	2276	764f182af0c6ddc192250baa4a4464a0.exe	95
PID 2276 wrote to memory of 4572	2276	764f182af0c6ddc192250baa4a4464a0.exe	97
PID 2276 wrote to memory of 4572	2276	764f182af0c6ddc192250baa4a4464a0.exe	97
PID 2276 wrote to memory of 4572	2276	764f182af0c6ddc192250baa4a4464a0.exe	97
PID 2276 wrote to memory of 1184	2276	764f182af0c6ddc192250baa4a4464a0.exe	101
PID 2276 wrote to memory of 1184	2276	764f182af0c6ddc192250baa4a4464a0.exe	101
PID 2276 wrote to memory of 1184	2276	764f182af0c6ddc192250baa4a4464a0.exe	101
PID 4576 wrote to memory of 1904	4576	dpkhonnb.exe	103
PID 4576 wrote to memory of 1904	4576	dpkhonnb.exe	103
PID 4576 wrote to memory of 1904	4576	dpkhonnb.exe	103
PID 4576 wrote to memory of 1904	4576	dpkhonnb.exe	103
PID 4576 wrote to memory of 1904	4576	dpkhonnb.exe	103

C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe
"C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jncdesvw\
  2⤵
  PID:3320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dpkhonnb.exe" C:\Windows\SysWOW64\jncdesvw\
  2⤵
  PID:5036
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create jncdesvw binPath= "C:\Windows\SysWOW64\jncdesvw\dpkhonnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2488
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description jncdesvw "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4384
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start jncdesvw
  2⤵
  - Launches sc.exe
  PID:4572
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1184

C:\Windows\SysWOW64\jncdesvw\dpkhonnb.exe
C:\Windows\SysWOW64\jncdesvw\dpkhonnb.exe /d"C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dpkhonnb.exe

Filesize
2.7MB

MD5
86ca144ffc590efe4a9f586dc42c2959

SHA1
8a36a1085489993d586eb0adfc3b6a90bd5af95e

SHA256
16e27724f1ad37ad204a0e4663ec57d8d0a5f75d4419cfb6f1b7875076761cf6

SHA512
bb6072907ed1ec4f001d215ffaec39c76cad1a8abb8e36b57dcb551b89c60df5cab377a3373633c6fe254ec6602b6ca4cf5b75e995539fced49b707c7741bdb4

Download Submit
C:\Windows\SysWOW64\jncdesvw\dpkhonnb.exe

Filesize
1.7MB

MD5
6644626ef536ccaee9cb59ca6021a5ef

SHA1
a0776a9584dae67fa1d5db08689079e5b9ef2a88

SHA256
04fede48fde66a45a27c587b5b4088e8519a4f54c6f3636ce72c845887b17c5c

SHA512
19f726a4250819b804d5a898a8b121971c0649ff8d54b25fb391752e31d95f4935a18f0b19324f3f0d1dd787ad5794ce73c6907787b4ac488636ba382ee602c6

Download Submit
memory/1904-11-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/1904-19-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/1904-18-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/1904-17-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/1904-16-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/2276-8-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/2276-1-0x00000000023C0000-0x00000000024C0000-memory.dmp

Filesize
1024KB

Download
memory/2276-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/2276-4-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/2276-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4576-10-0x00000000026A0000-0x00000000027A0000-memory.dmp

Filesize
1024KB

Download
memory/4576-14-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/4576-15-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads