tofsee | 2c2ad8fb26b2481604773c7755cc27156ea9a7c6d19993562bd7f3f0777e3931

General

Target

f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
Size

12.5MB
MD5

f474b3b24c28e9731d49632cf52cb20a
SHA1

379128e922c6174dd9fe7f16eb1428300860ae00
SHA256

2c2ad8fb26b2481604773c7755cc27156ea9a7c6d19993562bd7f3f0777e3931
SHA512

226e7ab1d0f5894532ab390960ceb10a6c5ffff97bff475fd7282eafdcd65e4e86251893950c58e48a3e2235ca4ea32f77af44ab084956048ae0e2df0d5151a8
SSDEEP

98304:FNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllF:DW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3744 netsh.exe

pid	process
3744	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vxdeekpr\ImagePath = "C:\\Windows\\SysWOW64\\vxdeekpr\\lckisnui.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1788 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

lckisnui.exe

pid process

4572 lckisnui.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lckisnui.exe

description pid process target process

PID 4572 set thread context of 1788 4572 lckisnui.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

5068 sc.exe
3532 sc.exe
2876 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1788	svchost.exe

pid	process
4572	lckisnui.exe

description	pid	process	target process
PID 4572 set thread context of 1788	4572	lckisnui.exe	svchost.exe

pid	process
5068	sc.exe
3532	sc.exe
2876	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exelckisnui.exe

description	pid	process	target process
PID 5096 wrote to memory of 3076	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	cmd.exe
PID 5096 wrote to memory of 3076	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	cmd.exe
PID 5096 wrote to memory of 3076	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	cmd.exe
PID 5096 wrote to memory of 1440	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	cmd.exe
PID 5096 wrote to memory of 1440	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	cmd.exe
PID 5096 wrote to memory of 1440	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	cmd.exe
PID 5096 wrote to memory of 5068	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 5068	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 5068	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 3532	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 3532	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 3532	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 2876	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 2876	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 2876	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	sc.exe
PID 5096 wrote to memory of 3744	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	netsh.exe
PID 5096 wrote to memory of 3744	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	netsh.exe
PID 5096 wrote to memory of 3744	5096	f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe	netsh.exe
PID 4572 wrote to memory of 1788	4572	lckisnui.exe	svchost.exe
PID 4572 wrote to memory of 1788	4572	lckisnui.exe	svchost.exe
PID 4572 wrote to memory of 1788	4572	lckisnui.exe	svchost.exe
PID 4572 wrote to memory of 1788	4572	lckisnui.exe	svchost.exe
PID 4572 wrote to memory of 1788	4572	lckisnui.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vxdeekpr\
2⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lckisnui.exe" C:\Windows\SysWOW64\vxdeekpr\
2⤵
PID:1440

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create vxdeekpr binPath= "C:\Windows\SysWOW64\vxdeekpr\lckisnui.exe /d\"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:5068

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description vxdeekpr "wifi internet conection"
2⤵
- Launches sc.exe
PID:3532

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start vxdeekpr
2⤵
- Launches sc.exe
PID:2876

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3744

C:\Windows\SysWOW64\vxdeekpr\lckisnui.exe
C:\Windows\SysWOW64\vxdeekpr\lckisnui.exe /d"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lckisnui.exe
Filesize
11.4MB

MD5
01c2e9512e0c483fb1ec1cbdb80a4bce

SHA1
7f6ca53839f5df02b86cb348aa08360ffc60afcd

SHA256
3af707b1201db9f28ea73e251fc6282cf9fb45aefd98a00999cb90e669d17862

SHA512
b7e1ed8fb7d08266094932e5df7d5dfb7b190065e1c704ee3f7ef4a5ec08acf0b560e98c4ff57c08064348a0a419c43fa6866ca9698b74a14b7f4af967af9e12

Download Submit
memory/1788-16-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/1788-11-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/1788-15-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/1788-18-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/1788-20-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/4572-10-0x00000000037D0000-0x00000000038D0000-memory.dmp

Filesize
1024KB

Download
memory/4572-17-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/4572-19-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/5096-4-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/5096-2-0x00000000037F0000-0x0000000003803000-memory.dmp

Filesize
76KB

Download
memory/5096-6-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/5096-8-0x00000000037F0000-0x0000000003803000-memory.dmp

Filesize
76KB

Download
memory/5096-1-0x0000000003810000-0x0000000003910000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads