tofsee | 8a19788e6391d24385ece1dc77bb1a3f381bfd951faa17ce3925592842d19986

General

Target

f284271435132b9487ddf8dd41992578_JaffaCakes118.exe
Size

14.2MB
MD5

f284271435132b9487ddf8dd41992578
SHA1

26ec52a5e08c3370a92e47b5f43a12057cbe8616
SHA256

8a19788e6391d24385ece1dc77bb1a3f381bfd951faa17ce3925592842d19986
SHA512

4027ec19d3371d2707855d1e709a48ac96e9c09251a57de035c5e2d0b10cb6ecdeddae9e6c235c524022ff305b794340815fa2ad40a7d6cf287f2304942a0687
SSDEEP

196608:0zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2572 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

irgbnmtd.exe

pid process

2632 irgbnmtd.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2964 sc.exe
2708 sc.exe
2820 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2572	netsh.exe

pid	process
2632	irgbnmtd.exe

pid	process
2964	sc.exe
2708	sc.exe
2820	sc.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

f284271435132b9487ddf8dd41992578_JaffaCakes118.exeirgbnmtd.exe

description	pid	process	target process
PID 1372 wrote to memory of 2080	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2080	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2080	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2080	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2968	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2968	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2968	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2968	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2964	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2964	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2964	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2964	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2708	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2708	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2708	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2708	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2820	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2820	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2820	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2820	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	sc.exe
PID 1372 wrote to memory of 2572	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	netsh.exe
PID 1372 wrote to memory of 2572	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	netsh.exe
PID 1372 wrote to memory of 2572	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	netsh.exe
PID 1372 wrote to memory of 2572	1372	f284271435132b9487ddf8dd41992578_JaffaCakes118.exe	netsh.exe
PID 2632 wrote to memory of 2540	2632	irgbnmtd.exe	svchost.exe
PID 2632 wrote to memory of 2540	2632	irgbnmtd.exe	svchost.exe
PID 2632 wrote to memory of 2540	2632	irgbnmtd.exe	svchost.exe
PID 2632 wrote to memory of 2540	2632	irgbnmtd.exe	svchost.exe
PID 2632 wrote to memory of 2540	2632	irgbnmtd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f284271435132b9487ddf8dd41992578_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f284271435132b9487ddf8dd41992578_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffjnhedd\
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\irgbnmtd.exe" C:\Windows\SysWOW64\ffjnhedd\
2⤵
PID:2968

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ffjnhedd binPath= "C:\Windows\SysWOW64\ffjnhedd\irgbnmtd.exe /d\"C:\Users\Admin\AppData\Local\Temp\f284271435132b9487ddf8dd41992578_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2964

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ffjnhedd "wifi internet conection"
2⤵
- Launches sc.exe
PID:2708

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ffjnhedd
2⤵
- Launches sc.exe
PID:2820

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2572

C:\Windows\SysWOW64\ffjnhedd\irgbnmtd.exe
C:\Windows\SysWOW64\ffjnhedd\irgbnmtd.exe /d"C:\Users\Admin\AppData\Local\Temp\f284271435132b9487ddf8dd41992578_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2540

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\irgbnmtd.exe
Filesize
14.4MB

MD5
c047fe02bef3fd5ba51741364ccf71d9

SHA1
1e570930debfac78bcf118e086ff131e5eb04d1b

SHA256
b12e71cc91c1e56258ec1d8ee8b3ed4014a47eb79cde576f761b88744115ce22

SHA512
44283d58db57d80e117bc2ee76197d8641bb11be4d10de7199047bbe0f1304076aac52aa67a7f64696e1c81eedbe163341a6bec3f42c98379ecacddbe1236a1e

Download Submit
memory/1372-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1372-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/1372-4-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/1372-7-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/1372-8-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/2540-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-12-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2632-10-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2632-11-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2632-15-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2632-17-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing