tofsee | 32286087d4e5a88e15e2d34114b10047826640627628d7b269d37eef35585db7

General

Target

f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe
Size

11.3MB
MD5

f2c2dfad2a7c617f933121023f9615a0
SHA1

2413e1d32855aaaef23d75cc7da5e73258f59c0f
SHA256

32286087d4e5a88e15e2d34114b10047826640627628d7b269d37eef35585db7
SHA512

0a235f74cceebc2fd51d8472762091a958d6d43ca00bedad058cee00fa48b90e063eff78ac60610668e1a42427d25d105c8d4625079a7753e29b1c441c46eda0
SSDEEP

98304:nNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllH:NW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5348 netsh.exe

pid	process
5348	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wwjxkyu\ImagePath = "C:\\Windows\\SysWOW64\\wwjxkyu\\gidjcpz.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

5268 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

gidjcpz.exe

pid process

1152 gidjcpz.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gidjcpz.exe

description pid process target process

PID 1152 set thread context of 5268 1152 gidjcpz.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2228 sc.exe
5432 sc.exe
2224 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5268	svchost.exe

pid	process
1152	gidjcpz.exe

description	pid	process	target process
PID 1152 set thread context of 5268	1152	gidjcpz.exe	svchost.exe

pid	process
2228	sc.exe
5432	sc.exe
2224	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exegidjcpz.exe

description	pid	process	target process
PID 656 wrote to memory of 5552	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	cmd.exe
PID 656 wrote to memory of 5552	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	cmd.exe
PID 656 wrote to memory of 5552	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	cmd.exe
PID 656 wrote to memory of 1080	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	cmd.exe
PID 656 wrote to memory of 1080	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	cmd.exe
PID 656 wrote to memory of 1080	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	cmd.exe
PID 656 wrote to memory of 2228	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 2228	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 2228	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 5432	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 5432	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 5432	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 2224	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 2224	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 2224	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	sc.exe
PID 656 wrote to memory of 5348	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	netsh.exe
PID 656 wrote to memory of 5348	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	netsh.exe
PID 656 wrote to memory of 5348	656	f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe	netsh.exe
PID 1152 wrote to memory of 5268	1152	gidjcpz.exe	svchost.exe
PID 1152 wrote to memory of 5268	1152	gidjcpz.exe	svchost.exe
PID 1152 wrote to memory of 5268	1152	gidjcpz.exe	svchost.exe
PID 1152 wrote to memory of 5268	1152	gidjcpz.exe	svchost.exe
PID 1152 wrote to memory of 5268	1152	gidjcpz.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wwjxkyu\
2⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gidjcpz.exe" C:\Windows\SysWOW64\wwjxkyu\
2⤵
PID:1080

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create wwjxkyu binPath= "C:\Windows\SysWOW64\wwjxkyu\gidjcpz.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2228

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description wwjxkyu "wifi internet conection"
2⤵
- Launches sc.exe
PID:5432

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start wwjxkyu
2⤵
- Launches sc.exe
PID:2224

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:5348

C:\Windows\SysWOW64\wwjxkyu\gidjcpz.exe
C:\Windows\SysWOW64\wwjxkyu\gidjcpz.exe /d"C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gidjcpz.exe
Filesize
13.0MB

MD5
9817e67f0fa3deb3f25b3a36f43567ae

SHA1
f437d6a202b46d0f8b16d99c78f12ebccb516f8e

SHA256
c50c5344f3ca8be4267882a0e4c7de1edcdb93e7dd538a980e186d5aaaaec86a

SHA512
b0cac5923daada574ef6052575a9c2f3c679b0e1ed4f005de4755891d07334e2e411d010bb5d082b94ad391634c92a6f46ade9bade6efb2051dbeede11608412

Download Submit
memory/656-1-0x0000000003900000-0x0000000003A00000-memory.dmp

Filesize
1024KB

Download
memory/656-2-0x0000000005410000-0x0000000005423000-memory.dmp

Filesize
76KB

Download
memory/656-4-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/656-6-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/656-8-0x0000000005410000-0x0000000005423000-memory.dmp

Filesize
76KB

Download
memory/1152-10-0x0000000003950000-0x0000000003A50000-memory.dmp

Filesize
1024KB

Download
memory/1152-16-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/1152-15-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/5268-11-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/5268-14-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/5268-17-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/5268-18-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/5268-19-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads