tofsee | a90655570c4a2d65f49238f26f55c26b9d759fb37e320879a4947925d6d39ae1

General

Target

f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe
Size

10.5MB
MD5

f3df43ba132bdf2b35e4cff404cf6822
SHA1

1b9098442468602824c455d02e8a168a5beba1f1
SHA256

a90655570c4a2d65f49238f26f55c26b9d759fb37e320879a4947925d6d39ae1
SHA512

7f9b79450deb76f4f989d06fe521ea4d1bcd7c2fc3d07c97e529b341dc28564db49ba05d99e66a79b6c110d25062c2655618827b02cd9a2de3708bc9728ea9a1
SSDEEP

6144:xTNLKg3DE+aImImImImImImImImImImImImImImImImImImImImImImImImImImY:XeO

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2384 netsh.exe

pid	process
2384	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qmutgbmp\ImagePath = "C:\\Windows\\SysWOW64\\qmutgbmp\\mejjqicg.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1544 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

mejjqicg.exe

pid process

4104 mejjqicg.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mejjqicg.exe

description pid process target process

PID 4104 set thread context of 1544 4104 mejjqicg.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4716 sc.exe
312 sc.exe
4524 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2036 1048 WerFault.exe f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe
3204 4104 WerFault.exe mejjqicg.exe

pid	process
1544	svchost.exe

pid	process
4104	mejjqicg.exe

description	pid	process	target process
PID 4104 set thread context of 1544	4104	mejjqicg.exe	svchost.exe

pid	process
4716	sc.exe
312	sc.exe
4524	sc.exe

pid	pid_target	process	target process
2036	1048	WerFault.exe	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe
3204	4104	WerFault.exe	mejjqicg.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exemejjqicg.exe

description	pid	process	target process
PID 1048 wrote to memory of 2500	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 2500	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 2500	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 912	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 912	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 912	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 4716	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 4716	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 4716	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 312	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 312	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 312	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 4524	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 4524	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 4524	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	sc.exe
PID 1048 wrote to memory of 2384	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	netsh.exe
PID 1048 wrote to memory of 2384	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	netsh.exe
PID 1048 wrote to memory of 2384	1048	f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe	netsh.exe
PID 4104 wrote to memory of 1544	4104	mejjqicg.exe	svchost.exe
PID 4104 wrote to memory of 1544	4104	mejjqicg.exe	svchost.exe
PID 4104 wrote to memory of 1544	4104	mejjqicg.exe	svchost.exe
PID 4104 wrote to memory of 1544	4104	mejjqicg.exe	svchost.exe
PID 4104 wrote to memory of 1544	4104	mejjqicg.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qmutgbmp\
2⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mejjqicg.exe" C:\Windows\SysWOW64\qmutgbmp\
2⤵
PID:912

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qmutgbmp binPath= "C:\Windows\SysWOW64\qmutgbmp\mejjqicg.exe /d\"C:\Users\Admin\AppData\Local\Temp\f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4716

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qmutgbmp "wifi internet conection"
2⤵
- Launches sc.exe
PID:312

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qmutgbmp
2⤵
- Launches sc.exe
PID:4524

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 580
2⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\qmutgbmp\mejjqicg.exe
C:\Windows\SysWOW64\qmutgbmp\mejjqicg.exe /d"C:\Users\Admin\AppData\Local\Temp\f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 516
2⤵
- Program crash
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1048 -ip 1048
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4104 -ip 4104
1⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mejjqicg.exe
Filesize
12.8MB

MD5
6f27d1fc2e2b8ec42b9153b7a994e20e

SHA1
ed3242c85153e087d42344bce6e35252bb1594a1

SHA256
ae7345e89ecb156d568ba514dcb70240dbc208ff078819690bcf8bfbfa10f1b3

SHA512
baada9b5a5b2584e8e79b1a6e352743e0540a62c01cc3168d4b1335ccb96e61913f0c2784eb4f19a0d2d4293914c63a641128b0e23a3ab4038395a2325062f35

Download Submit
memory/1048-1-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/1048-2-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/1048-4-0x0000000000400000-0x0000000002CB9000-memory.dmp

Filesize
40.7MB

Download
memory/1048-8-0x0000000000400000-0x0000000002CB9000-memory.dmp

Filesize
40.7MB

Download
memory/1048-9-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/1544-14-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/1544-11-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/1544-16-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/1544-17-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/1544-19-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/4104-15-0x0000000000400000-0x0000000002CB9000-memory.dmp

Filesize
40.7MB

Download
memory/4104-10-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/4104-18-0x0000000000400000-0x0000000002CB9000-memory.dmp

Filesize
40.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads