tofsee | 6d11a016ff70b46205d7ef21efb3fa132b878580a77ed923566257751dd7a11d

General

Target

f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe
Size

13.5MB
MD5

f5cbfe63e02723b835516647584848d4
SHA1

07dd6af989d6d11f4efcf5a9594912d851b10135
SHA256

6d11a016ff70b46205d7ef21efb3fa132b878580a77ed923566257751dd7a11d
SHA512

a5143335125344278d49a9eb6be29bbd8fb05aa84d00e01e5e05b2bee4243a8d45c2f469cb46f5e04af70679511b6a1ebc3ea261894dca3bb0fa0a498321b91f
SSDEEP

6144:x2BxZXDssssssssssssssssssssssssssssssssssssssssssssssssssssssssk:x4V

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dhmexdxr = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2556 netsh.exe

pid	process
2556	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dhmexdxr\ImagePath = "C:\\Windows\\SysWOW64\\dhmexdxr\\ddcithor.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2484 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

ddcithor.exe

pid process

2532 ddcithor.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ddcithor.exe

description pid process target process

PID 2532 set thread context of 2484 2532 ddcithor.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2752 sc.exe
2552 sc.exe
2620 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2484	svchost.exe

pid	process
2532	ddcithor.exe

description	pid	process	target process
PID 2532 set thread context of 2484	2532	ddcithor.exe	svchost.exe

pid	process
2752	sc.exe
2552	sc.exe
2620	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f5cbfe63e02723b835516647584848d4_JaffaCakes118.exeddcithor.exe

description	pid	process	target process
PID 1760 wrote to memory of 3056	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 3056	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 3056	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 3056	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 2568	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 2568	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 2568	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 2568	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 2752	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2752	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2752	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2752	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2552	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2552	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2552	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2552	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2620	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2620	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2620	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2620	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	sc.exe
PID 1760 wrote to memory of 2556	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	netsh.exe
PID 1760 wrote to memory of 2556	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	netsh.exe
PID 1760 wrote to memory of 2556	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	netsh.exe
PID 1760 wrote to memory of 2556	1760	f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe	netsh.exe
PID 2532 wrote to memory of 2484	2532	ddcithor.exe	svchost.exe
PID 2532 wrote to memory of 2484	2532	ddcithor.exe	svchost.exe
PID 2532 wrote to memory of 2484	2532	ddcithor.exe	svchost.exe
PID 2532 wrote to memory of 2484	2532	ddcithor.exe	svchost.exe
PID 2532 wrote to memory of 2484	2532	ddcithor.exe	svchost.exe
PID 2532 wrote to memory of 2484	2532	ddcithor.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dhmexdxr\
2⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ddcithor.exe" C:\Windows\SysWOW64\dhmexdxr\
2⤵
PID:2568

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create dhmexdxr binPath= "C:\Windows\SysWOW64\dhmexdxr\ddcithor.exe /d\"C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2752

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description dhmexdxr "wifi internet conection"
2⤵
- Launches sc.exe
PID:2552

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start dhmexdxr
2⤵
- Launches sc.exe
PID:2620

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2556

C:\Windows\SysWOW64\dhmexdxr\ddcithor.exe
C:\Windows\SysWOW64\dhmexdxr\ddcithor.exe /d"C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

1

T1562.001

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddcithor.exe
Filesize
10.2MB

MD5
a903e7a15f48ac727e8a99b6344cd1d1

SHA1
2a8bbdd0a5e9f8667a7fa7ac663a9a875ecc1c40

SHA256
f2a45e63cd66bdf32e2b7ce3f7577bcdbb14a99f6cb45b6b7428353eef1fb4cb

SHA512
278769c871d9d6d62e6a1374f5f981fb1d5605a56fb0ca79176f1a4d58e03bd720d25d35ad9302e63a95b8d9643210f4389c311deab59e0c3a05f1266ff1fc58

Download Submit
memory/1760-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1760-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1760-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2484-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2484-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-9-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2484-17-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2484-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2484-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2532-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2532-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads