tofsee | 5904e1ce6715d90d01f24f33168326b95b1096de8fbb7d4ec670516e1249587a

General

Target

f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
Size

11.6MB
MD5

f2e10e6ce6156dc38f07293998121415
SHA1

0367b75e7cc5eac8322c18c711144e0b14868e8b
SHA256

5904e1ce6715d90d01f24f33168326b95b1096de8fbb7d4ec670516e1249587a
SHA512

016dcff3b313312297f315be1c10c0bccdf23dee9e2288b4087592e788cf7963575cbdf896dcfdc6745f1d6c298c0f210f436c8bc0e5d6a1fb68150cce97a2ee
SSDEEP

24576:zfARRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR3:z

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rnitylgm = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3060 netsh.exe

pid	process
3060	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rnitylgm\ImagePath = "C:\\Windows\\SysWOW64\\rnitylgm\\ctpwnmqu.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3020 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

ctpwnmqu.exe

pid process

2548 ctpwnmqu.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ctpwnmqu.exe

description pid process target process

PID 2548 set thread context of 3020 2548 ctpwnmqu.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1664 sc.exe
2636 sc.exe
2852 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3020	svchost.exe

pid	process
2548	ctpwnmqu.exe

description	pid	process	target process
PID 2548 set thread context of 3020	2548	ctpwnmqu.exe	svchost.exe

pid	process
1664	sc.exe
2636	sc.exe
2852	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exectpwnmqu.exe

description	pid	process	target process
PID 3000 wrote to memory of 1072	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 1072	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 1072	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 1072	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2828	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2828	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2828	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 2828	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	cmd.exe
PID 3000 wrote to memory of 1664	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 1664	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 1664	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 1664	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2636	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2636	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2636	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2636	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2852	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2852	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2852	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 2852	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	sc.exe
PID 3000 wrote to memory of 3060	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	netsh.exe
PID 3000 wrote to memory of 3060	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	netsh.exe
PID 3000 wrote to memory of 3060	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	netsh.exe
PID 3000 wrote to memory of 3060	3000	f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe	netsh.exe
PID 2548 wrote to memory of 3020	2548	ctpwnmqu.exe	svchost.exe
PID 2548 wrote to memory of 3020	2548	ctpwnmqu.exe	svchost.exe
PID 2548 wrote to memory of 3020	2548	ctpwnmqu.exe	svchost.exe
PID 2548 wrote to memory of 3020	2548	ctpwnmqu.exe	svchost.exe
PID 2548 wrote to memory of 3020	2548	ctpwnmqu.exe	svchost.exe
PID 2548 wrote to memory of 3020	2548	ctpwnmqu.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rnitylgm\
2⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ctpwnmqu.exe" C:\Windows\SysWOW64\rnitylgm\
2⤵
PID:2828

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rnitylgm binPath= "C:\Windows\SysWOW64\rnitylgm\ctpwnmqu.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1664

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rnitylgm "wifi internet conection"
2⤵
- Launches sc.exe
PID:2636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rnitylgm
2⤵
- Launches sc.exe
PID:2852

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3060

C:\Windows\SysWOW64\rnitylgm\ctpwnmqu.exe
C:\Windows\SysWOW64\rnitylgm\ctpwnmqu.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ctpwnmqu.exe
Filesize
10.8MB

MD5
afd4a3d6ce6082292cf4636e527f5150

SHA1
caa7bbf3f26690e959ff1c5948d80507efa6cf7d

SHA256
10a6c25571f31d567352e41149156722af4d5e96a31fc1ab435fabc598123c91

SHA512
fe29c815df9d64a4fc132cd85b24a5a278eb372061c7aa150890f8bb2e955e4e555414292737ccf0289c39aed5cb31edbd7a0d208b5543c7a907abb1ba36600f

Download Submit
memory/2548-10-0x0000000002850000-0x0000000002950000-memory.dmp

Filesize
1024KB

Download
memory/2548-12-0x0000000000400000-0x00000000027A8000-memory.dmp

Filesize
35.7MB

Download
memory/2548-16-0x0000000000400000-0x00000000027A8000-memory.dmp

Filesize
35.7MB

Download
memory/3000-1-0x0000000002910000-0x0000000002A10000-memory.dmp

Filesize
1024KB

Download
memory/3000-4-0x0000000000400000-0x00000000027A8000-memory.dmp

Filesize
35.7MB

Download
memory/3000-7-0x0000000000400000-0x00000000027A8000-memory.dmp

Filesize
35.7MB

Download
memory/3000-8-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/3000-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/3020-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-11-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/3020-15-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/3020-19-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/3020-20-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/3020-21-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/3020-22-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads