tofsee | cdbcf96eb2e66544db4ee3a0319799623589e2fce14a1545eafaf302a4c05eec

General

Target

cb55bf02958c9cefbb81aec9f50dedd9.exe
Size

14.9MB
MD5

cb55bf02958c9cefbb81aec9f50dedd9
SHA1

3ea1ea77967609654bd5e1481fd8659d2d77882b
SHA256

cdbcf96eb2e66544db4ee3a0319799623589e2fce14a1545eafaf302a4c05eec
SHA512

fe7c169bdcba12de3b11662b3397f4a0949935c036217e58ab5f6649acdffd887b1073e396fa8b798d75818315929e21333e83b8d73de12e108ac0e68e232659
SSDEEP

24576:5jY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP/:UHSl

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2496	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jfpraczx\ImagePath = "C:\\Windows\\SysWOW64\\jfpraczx\\gmxiapjv.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cb55bf02958c9cefbb81aec9f50dedd9.exe

Deletes itself 1 IoCs

pid	Process
808	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
716	gmxiapjv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 716 set thread context of 808	716	gmxiapjv.exe	113

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4888	sc.exe
5076	sc.exe
1620	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1588	4388	WerFault.exe	88
4528	716	WerFault.exe	106

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3628	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	92
PID 4388 wrote to memory of 3628	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	92
PID 4388 wrote to memory of 3628	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	92
PID 4388 wrote to memory of 1236	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	96
PID 4388 wrote to memory of 1236	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	96
PID 4388 wrote to memory of 1236	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	96
PID 4388 wrote to memory of 5076	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	98
PID 4388 wrote to memory of 5076	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	98
PID 4388 wrote to memory of 5076	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	98
PID 4388 wrote to memory of 1620	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	102
PID 4388 wrote to memory of 1620	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	102
PID 4388 wrote to memory of 1620	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	102
PID 4388 wrote to memory of 4888	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	104
PID 4388 wrote to memory of 4888	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	104
PID 4388 wrote to memory of 4888	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	104
PID 4388 wrote to memory of 2496	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	107
PID 4388 wrote to memory of 2496	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	107
PID 4388 wrote to memory of 2496	4388	cb55bf02958c9cefbb81aec9f50dedd9.exe	107
PID 716 wrote to memory of 808	716	gmxiapjv.exe	113
PID 716 wrote to memory of 808	716	gmxiapjv.exe	113
PID 716 wrote to memory of 808	716	gmxiapjv.exe	113
PID 716 wrote to memory of 808	716	gmxiapjv.exe	113
PID 716 wrote to memory of 808	716	gmxiapjv.exe	113

C:\Users\Admin\AppData\Local\Temp\cb55bf02958c9cefbb81aec9f50dedd9.exe
"C:\Users\Admin\AppData\Local\Temp\cb55bf02958c9cefbb81aec9f50dedd9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jfpraczx\
  2⤵
  PID:3628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gmxiapjv.exe" C:\Windows\SysWOW64\jfpraczx\
  2⤵
  PID:1236
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create jfpraczx binPath= "C:\Windows\SysWOW64\jfpraczx\gmxiapjv.exe /d\"C:\Users\Admin\AppData\Local\Temp\cb55bf02958c9cefbb81aec9f50dedd9.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:5076
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description jfpraczx "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1620
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start jfpraczx
  2⤵
  - Launches sc.exe
  PID:4888
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 800
  2⤵
  - Program crash
  PID:1588

C:\Windows\SysWOW64\jfpraczx\gmxiapjv.exe
C:\Windows\SysWOW64\jfpraczx\gmxiapjv.exe /d"C:\Users\Admin\AppData\Local\Temp\cb55bf02958c9cefbb81aec9f50dedd9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 536
  2⤵
  - Program crash
  PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 716 -ip 716
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gmxiapjv.exe

Filesize
13.1MB

MD5
7b1ef8fd16e0a10e96902418093ba81d

SHA1
af029d04661db371e98589ab862008478bc19267

SHA256
3dd1db2cd991725b79504d6ba482648f18e4b0084725fb4a8f4349179f1d8836

SHA512
f42d4cb6341ae625548b3b94878a9fc0d2244e4d84d3ef4e6588bb30bf5a35c089fb317967d3d8424af04d755e9611dc91605de2bda0a368465c530f3e928bf0

Download Submit
C:\Windows\SysWOW64\jfpraczx\gmxiapjv.exe

Filesize
14.0MB

MD5
02051de084f297a260dd0f3d803b68e4

SHA1
48c00b504349f1c08537f80c6010424c44842833

SHA256
23c60a66c2de3fbb80fdbfa55879d32079e6b90750990185ab00b0444309916d

SHA512
553f3b4d9ed541834238351488bddbad8888c8e30d3d42044cc5a97471a3e3dd93b61c4932f1115677e3660c860ae890c4e7948017062d8834190fd98f9e03a3

Download Submit
memory/716-13-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/716-11-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/808-10-0x0000000001230000-0x0000000001245000-memory.dmp

Filesize
84KB

Download
memory/808-15-0x0000000001230000-0x0000000001245000-memory.dmp

Filesize
84KB

Download
memory/808-17-0x0000000001230000-0x0000000001245000-memory.dmp

Filesize
84KB

Download
memory/808-18-0x0000000001230000-0x0000000001245000-memory.dmp

Filesize
84KB

Download
memory/4388-4-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/4388-2-0x00000000024F0000-0x0000000002503000-memory.dmp

Filesize
76KB

Download
memory/4388-7-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/4388-8-0x00000000024F0000-0x0000000002503000-memory.dmp

Filesize
76KB

Download
memory/4388-1-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads