tofsee | 62b95f3ef9cdf1e9c528d859c4d4116e114cf90b9711e1bc486ab4d034bd574e

General

Target

f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe
Size

10.4MB
MD5

f570f71d8285dce6ba5ac8ead17b0435
SHA1

ab4efe5cba052b2ba724222540043c90d9d6980c
SHA256

62b95f3ef9cdf1e9c528d859c4d4116e114cf90b9711e1bc486ab4d034bd574e
SHA512

56034472678e5d6610f1cb9b59f4b3a60c96b281b3fceb529742cdf51ec213c08e16a6b8e1748a06d461ff3d69bf7defdcac8cad10968c64d3c10135093de62f
SSDEEP

6144:fpcqzKUTS5Yde/qyQK8ZtqTMIKC/eUPFwUnyaAjLo7pU6eD:PKUO54e/q60tmT7/xPFwVjs7G6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tgqtwtsp = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2696 netsh.exe

pid	process
2696	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tgqtwtsp\ImagePath = "C:\\Windows\\SysWOW64\\tgqtwtsp\\gyddkcwa.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2740 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

gyddkcwa.exe

pid process

2256 gyddkcwa.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gyddkcwa.exe

description pid process target process

PID 2256 set thread context of 2740 2256 gyddkcwa.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1920 sc.exe
2652 sc.exe
2548 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2740	svchost.exe

pid	process
2256	gyddkcwa.exe

description	pid	process	target process
PID 2256 set thread context of 2740	2256	gyddkcwa.exe	svchost.exe

pid	process
1920	sc.exe
2652	sc.exe
2548	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exegyddkcwa.exe

description	pid	process	target process
PID 2176 wrote to memory of 1088	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 1088	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 1088	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 1088	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 2496	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 2496	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 2496	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 2496	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 1920	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 1920	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 1920	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 1920	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2652	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2652	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2652	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2652	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2548	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2548	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2548	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2548	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	sc.exe
PID 2176 wrote to memory of 2696	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	netsh.exe
PID 2176 wrote to memory of 2696	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	netsh.exe
PID 2176 wrote to memory of 2696	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	netsh.exe
PID 2176 wrote to memory of 2696	2176	f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe	netsh.exe
PID 2256 wrote to memory of 2740	2256	gyddkcwa.exe	svchost.exe
PID 2256 wrote to memory of 2740	2256	gyddkcwa.exe	svchost.exe
PID 2256 wrote to memory of 2740	2256	gyddkcwa.exe	svchost.exe
PID 2256 wrote to memory of 2740	2256	gyddkcwa.exe	svchost.exe
PID 2256 wrote to memory of 2740	2256	gyddkcwa.exe	svchost.exe
PID 2256 wrote to memory of 2740	2256	gyddkcwa.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tgqtwtsp\
2⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gyddkcwa.exe" C:\Windows\SysWOW64\tgqtwtsp\
2⤵
PID:2496

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tgqtwtsp binPath= "C:\Windows\SysWOW64\tgqtwtsp\gyddkcwa.exe /d\"C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1920

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tgqtwtsp "wifi internet conection"
2⤵
- Launches sc.exe
PID:2652

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tgqtwtsp
2⤵
- Launches sc.exe
PID:2548

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2696

C:\Windows\SysWOW64\tgqtwtsp\gyddkcwa.exe
C:\Windows\SysWOW64\tgqtwtsp\gyddkcwa.exe /d"C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

1

T1562.001

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gyddkcwa.exe
Filesize
14.2MB

MD5
2c6c6990ed2ef0879cde931d2c5c4e58

SHA1
20f5e2960f35c74329a0b242ce1d40b412029690

SHA256
516de4e6d211c7133c855c5d50204f2a884cdbd3ced12a20849b91fa59607e56

SHA512
eb8487833a8f46f62116ac651dd3bbe90f37dee67ae2ae9c8d458f0007de8199314960729a1e20e655e3dcec214679992be861098a579eda1a9db494eb4e7ee6

Download Submit
memory/2176-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2176-3-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2176-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2176-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2256-15-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2256-9-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2256-11-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2740-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2740-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2740-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2740-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2740-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads