tofsee | c02ce7fba728b8b8d459ff2a48fbbd0986cd474a16e339457b4d0e7ca538036d

General

Target

f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe
Size

12.9MB
MD5

f2908395b8a8846d7c3752da7ffcc9ad
SHA1

16c1bc4e5ac73414c889c3d49de2a67f3b88f517
SHA256

c02ce7fba728b8b8d459ff2a48fbbd0986cd474a16e339457b4d0e7ca538036d
SHA512

edb752d6c9e28dd06331882d407a0636c92cb97d38298610f8d3ea7fee8d94d7490498ceb4d5432e0ca06f90b9de1d0c592186bd1abce277d4904f18d22f8476
SSDEEP

24576:perU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbr:psW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4088 netsh.exe

pid	process
4088	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vgrilxdo\ImagePath = "C:\\Windows\\SysWOW64\\vgrilxdo\\sktbylxr.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

sktbylxr.exe

pid process

3528 sktbylxr.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sktbylxr.exe

description pid process target process

PID 3528 set thread context of 2608 3528 sktbylxr.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4948 sc.exe
4072 sc.exe
464 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3528	sktbylxr.exe

description	pid	process	target process
PID 3528 set thread context of 2608	3528	sktbylxr.exe	svchost.exe

pid	process
4948	sc.exe
4072	sc.exe
464	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exesktbylxr.exe

description	pid	process	target process
PID 1432 wrote to memory of 1284	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 1284	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 1284	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 4968	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 4968	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 4968	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 4072	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 4072	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 4072	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 464	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 464	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 464	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 4948	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 4948	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 4948	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	sc.exe
PID 1432 wrote to memory of 4088	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	netsh.exe
PID 1432 wrote to memory of 4088	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	netsh.exe
PID 1432 wrote to memory of 4088	1432	f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe	netsh.exe
PID 3528 wrote to memory of 2608	3528	sktbylxr.exe	svchost.exe
PID 3528 wrote to memory of 2608	3528	sktbylxr.exe	svchost.exe
PID 3528 wrote to memory of 2608	3528	sktbylxr.exe	svchost.exe
PID 3528 wrote to memory of 2608	3528	sktbylxr.exe	svchost.exe
PID 3528 wrote to memory of 2608	3528	sktbylxr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vgrilxdo\
2⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sktbylxr.exe" C:\Windows\SysWOW64\vgrilxdo\
2⤵
PID:4968

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create vgrilxdo binPath= "C:\Windows\SysWOW64\vgrilxdo\sktbylxr.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4072

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description vgrilxdo "wifi internet conection"
2⤵
- Launches sc.exe
PID:464

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start vgrilxdo
2⤵
- Launches sc.exe
PID:4948

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4088

C:\Windows\SysWOW64\vgrilxdo\sktbylxr.exe
C:\Windows\SysWOW64\vgrilxdo\sktbylxr.exe /d"C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sktbylxr.exe
Filesize
13.4MB

MD5
3b651cc43c9259c127f01ba6c2a7ffaf

SHA1
5507d20fefae8ffc9802bc5d88ff873c15e37059

SHA256
5cfd3da7f31d1c0f3dffc3a1e69a4780a9e8791108217ac15f9119c5024e06ae

SHA512
1c73a203709608c4d48afaf5dbf9924ee999863c97a6313dab15a8058b93d111ee087901845b2fb66d57974aa008abc32238b0ca52fd53459ec320bdfa09cc98

Download Submit
memory/1432-1-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1432-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

Filesize
76KB

Download
memory/1432-3-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1432-6-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1432-20-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1432-16-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2608-12-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/2608-15-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/2608-18-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/2608-19-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/2608-27-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/3528-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3528-10-0x0000000000C30000-0x0000000000C43000-memory.dmp

Filesize
76KB

Download
memory/3528-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3528-9-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads