tofsee | b45ec3d6bc959bc7656fa4825e315d3ad564ec978b1ce173ff57b139f36ce333

General

Target

f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe
Size

12.3MB
MD5

f5dc335c6eb083d57521aff14be3e7c6
SHA1

7b1002a0c0ef3916d930c1043c2f060971e27604
SHA256

b45ec3d6bc959bc7656fa4825e315d3ad564ec978b1ce173ff57b139f36ce333
SHA512

a88e7b4bf9a011c813816018cbaafd9e93a502a6370063b79782c6709637d8a7ddcc04f20f5b74e7d6e4f85f64b2bbfdb8222fd55e0914831736ba49f337c4d0
SSDEEP

24576:kgdy5yNM4444444444444444444444444444444444444444444444444444444L:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\eyjzqjdt = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2684 netsh.exe

pid	process
2684	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eyjzqjdt\ImagePath = "C:\\Windows\\SysWOW64\\eyjzqjdt\\asbjgtfz.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2760 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

asbjgtfz.exe

pid process

2576 asbjgtfz.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

asbjgtfz.exe

description pid process target process

PID 2576 set thread context of 2760 2576 asbjgtfz.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3020 sc.exe
2564 sc.exe
2672 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2760	svchost.exe

pid	process
2576	asbjgtfz.exe

description	pid	process	target process
PID 2576 set thread context of 2760	2576	asbjgtfz.exe	svchost.exe

pid	process
3020	sc.exe
2564	sc.exe
2672	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exeasbjgtfz.exe

description	pid	process	target process
PID 2876 wrote to memory of 3040	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 3040	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 3040	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 3040	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2616	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2616	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2616	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2616	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 3020	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 3020	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 3020	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 3020	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2564	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2564	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2564	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2564	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2672	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2672	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2672	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2672	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	sc.exe
PID 2876 wrote to memory of 2684	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	netsh.exe
PID 2876 wrote to memory of 2684	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	netsh.exe
PID 2876 wrote to memory of 2684	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	netsh.exe
PID 2876 wrote to memory of 2684	2876	f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe	netsh.exe
PID 2576 wrote to memory of 2760	2576	asbjgtfz.exe	svchost.exe
PID 2576 wrote to memory of 2760	2576	asbjgtfz.exe	svchost.exe
PID 2576 wrote to memory of 2760	2576	asbjgtfz.exe	svchost.exe
PID 2576 wrote to memory of 2760	2576	asbjgtfz.exe	svchost.exe
PID 2576 wrote to memory of 2760	2576	asbjgtfz.exe	svchost.exe
PID 2576 wrote to memory of 2760	2576	asbjgtfz.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eyjzqjdt\
2⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\asbjgtfz.exe" C:\Windows\SysWOW64\eyjzqjdt\
2⤵
PID:2616

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create eyjzqjdt binPath= "C:\Windows\SysWOW64\eyjzqjdt\asbjgtfz.exe /d\"C:\Users\Admin\AppData\Local\Temp\f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:3020

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description eyjzqjdt "wifi internet conection"
2⤵
- Launches sc.exe
PID:2564

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start eyjzqjdt
2⤵
- Launches sc.exe
PID:2672

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2684

C:\Windows\SysWOW64\eyjzqjdt\asbjgtfz.exe
C:\Windows\SysWOW64\eyjzqjdt\asbjgtfz.exe /d"C:\Users\Admin\AppData\Local\Temp\f5dc335c6eb083d57521aff14be3e7c6_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

1

T1562.001

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asbjgtfz.exe
Filesize
13.8MB

MD5
25e8e0c8332c6d99079d158e2c86e2f4

SHA1
43144022fbd48de8ad8e712b11b1e48b728dd921

SHA256
cd5f393f2dc22eff65b1e54d1933b5dc284a76be3f9f3d4ec9de5cc76f421dbc

SHA512
da34181d0e89244071ceebdbe918e4cf0520958563675e77f422d19ee39f4bd0515e20b0c9296f9e5a78c02b1ce7ba80979fb3e67874169fafdebb3cf390a14b

Download Submit
memory/2576-14-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2576-13-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2576-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-9-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2760-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2760-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2760-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2760-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2876-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2876-3-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2876-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2876-1-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads