tofsee | 96e67d80d9eca5208f9fe6f5cb977453adac57ac026d4c6b4cd640418911483d

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe
Size

10.1MB
MD5

bd87e76554e82c653200bfe2c2114355
SHA1

e3cce184cef20580e9af902bd49c5caa5fbf0450
SHA256

96e67d80d9eca5208f9fe6f5cb977453adac57ac026d4c6b4cd640418911483d
SHA512

bd1ebe00cc68a1c16757d1160964dd40a0362f9902244e36b74f41a1322c37fd1c4f7fa9a1767a4a848e3240d8609fd7060ab2f1a313d271748d51e7fb9cdbe4
SSDEEP

196608:QhKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaq:Q

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2580	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lvchrfv\ImagePath = "C:\\Windows\\SysWOW64\\lvchrfv\\mkzlfbmc.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2460	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	mkzlfbmc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 2460	2968	mkzlfbmc.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2796	sc.exe
2684	sc.exe
2592	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2992	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2992	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2992	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2992	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2520	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2520	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2520	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2520	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2796	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2796	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2796	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2796	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2684	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	34
PID 2036 wrote to memory of 2684	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	34
PID 2036 wrote to memory of 2684	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	34
PID 2036 wrote to memory of 2684	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	34
PID 2036 wrote to memory of 2592	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	36
PID 2036 wrote to memory of 2592	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	36
PID 2036 wrote to memory of 2592	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	36
PID 2036 wrote to memory of 2592	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	36
PID 2036 wrote to memory of 2580	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	39
PID 2036 wrote to memory of 2580	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	39
PID 2036 wrote to memory of 2580	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	39
PID 2036 wrote to memory of 2580	2036	bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe	39
PID 2968 wrote to memory of 2460	2968	mkzlfbmc.exe	41
PID 2968 wrote to memory of 2460	2968	mkzlfbmc.exe	41
PID 2968 wrote to memory of 2460	2968	mkzlfbmc.exe	41
PID 2968 wrote to memory of 2460	2968	mkzlfbmc.exe	41
PID 2968 wrote to memory of 2460	2968	mkzlfbmc.exe	41
PID 2968 wrote to memory of 2460	2968	mkzlfbmc.exe	41

C:\Users\Admin\AppData\Local\Temp\bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lvchrfv\
  2⤵
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mkzlfbmc.exe" C:\Windows\SysWOW64\lvchrfv\
  2⤵
  PID:2520
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create lvchrfv binPath= "C:\Windows\SysWOW64\lvchrfv\mkzlfbmc.exe /d\"C:\Users\Admin\AppData\Local\Temp\bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2796
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description lvchrfv "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2684
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start lvchrfv
  2⤵
  - Launches sc.exe
  PID:2592
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2580

C:\Windows\SysWOW64\lvchrfv\mkzlfbmc.exe
C:\Windows\SysWOW64\lvchrfv\mkzlfbmc.exe /d"C:\Users\Admin\AppData\Local\Temp\bd87e76554e82c653200bfe2c2114355_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mkzlfbmc.exe

Filesize
11.5MB

MD5
bff8bb2a700631e57a05f373ba6c3935

SHA1
e68aa78b10ae7ced34afbfc57375641f4106c29c

SHA256
c41503c90647b7b4ecd4b5e3fe85441eeaafca1cdd2fd33b698b7be322b0c3eb

SHA512
ebc351b2f6886e4edf3ee4ddf8a3671849ad6ecd245de1c7f0f5fde88b0bae93540fa08bd32f0b96b01b296d2e0c379ca84cf7a117891a7c46201b72f5bfb2c9

Download Submit
memory/2036-1-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/2036-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2036-4-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2036-8-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2036-9-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2460-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2460-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2460-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2460-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2460-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2460-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2460-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2968-10-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/2968-17-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2968-11-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads