tofsee | c0aea4faca6ebef23d42c4daa61585c835aaa69cb819a29bf67b03881469bf04

General

Target

fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe
Size

13.6MB
MD5

fa05c055fc43c8c597197b590670ca85
SHA1

8b4e076dd4f300a82a21e255e14413737b575b4c
SHA256

c0aea4faca6ebef23d42c4daa61585c835aaa69cb819a29bf67b03881469bf04
SHA512

1455a615d3a8b3b0d50350da785784baf830f3b3b10cabaa19c7d97a112a3334fbcc0e5a0883b3fa77135f1f173185a83c44f7d113f82b21000e9fa6ca090798
SSDEEP

49152:KR88888888888888888888888888888888888888888888888888888888888884:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

952 netsh.exe

pid	process
952	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tzfduarp\ImagePath = "C:\\Windows\\SysWOW64\\tzfduarp\\cdfgadyq.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4756 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

cdfgadyq.exe

pid process

3968 cdfgadyq.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cdfgadyq.exe

description pid process target process

PID 3968 set thread context of 4756 3968 cdfgadyq.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3740 sc.exe
956 sc.exe
4720 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3644 4820 WerFault.exe fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe
2056 3968 WerFault.exe cdfgadyq.exe

pid	process
4756	svchost.exe

pid	process
3968	cdfgadyq.exe

description	pid	process	target process
PID 3968 set thread context of 4756	3968	cdfgadyq.exe	svchost.exe

pid	process
3740	sc.exe
956	sc.exe
4720	sc.exe

pid	pid_target	process	target process
3644	4820	WerFault.exe	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe
2056	3968	WerFault.exe	cdfgadyq.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fa05c055fc43c8c597197b590670ca85_JaffaCakes118.execdfgadyq.exe

description	pid	process	target process
PID 4820 wrote to memory of 3732	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	cmd.exe
PID 4820 wrote to memory of 3732	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	cmd.exe
PID 4820 wrote to memory of 3732	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	cmd.exe
PID 4820 wrote to memory of 3788	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	cmd.exe
PID 4820 wrote to memory of 3788	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	cmd.exe
PID 4820 wrote to memory of 3788	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	cmd.exe
PID 4820 wrote to memory of 3740	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 3740	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 3740	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 956	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 956	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 956	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 4720	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 4720	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 4720	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	sc.exe
PID 4820 wrote to memory of 952	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	netsh.exe
PID 4820 wrote to memory of 952	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	netsh.exe
PID 4820 wrote to memory of 952	4820	fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe	netsh.exe
PID 3968 wrote to memory of 4756	3968	cdfgadyq.exe	svchost.exe
PID 3968 wrote to memory of 4756	3968	cdfgadyq.exe	svchost.exe
PID 3968 wrote to memory of 4756	3968	cdfgadyq.exe	svchost.exe
PID 3968 wrote to memory of 4756	3968	cdfgadyq.exe	svchost.exe
PID 3968 wrote to memory of 4756	3968	cdfgadyq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tzfduarp\
2⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cdfgadyq.exe" C:\Windows\SysWOW64\tzfduarp\
2⤵
PID:3788

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tzfduarp binPath= "C:\Windows\SysWOW64\tzfduarp\cdfgadyq.exe /d\"C:\Users\Admin\AppData\Local\Temp\fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:3740

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tzfduarp "wifi internet conection"
2⤵
- Launches sc.exe
PID:956

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tzfduarp
2⤵
- Launches sc.exe
PID:4720

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1032
2⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\tzfduarp\cdfgadyq.exe
C:\Windows\SysWOW64\tzfduarp\cdfgadyq.exe /d"C:\Users\Admin\AppData\Local\Temp\fa05c055fc43c8c597197b590670ca85_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 516
2⤵
- Program crash
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4820 -ip 4820
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3968 -ip 3968
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdfgadyq.exe
Filesize
11.8MB

MD5
1229c1b8610738320314be8ead566c59

SHA1
54a2fb77992de041925e920fdc0afff9e11d1d1e

SHA256
83ba4694f8f3af7e91037c1da3cc8bb09ad3e1aac6817c5f85fc6ccc7d67c15e

SHA512
4fff24e2828d15469c01823bdc83f5efd8b56030c38ff136ceed785e6ea7a7ad806490ad606c5be8451c05dcbd69a9371fb182f523abbee3f63d8156225184d4

Download Submit
memory/3968-10-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/3968-14-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/3968-18-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/4756-11-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4756-16-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4756-17-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4756-19-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4820-4-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/4820-2-0x0000000004F70000-0x0000000004F83000-memory.dmp

Filesize
76KB

Download
memory/4820-8-0x0000000004F70000-0x0000000004F83000-memory.dmp

Filesize
76KB

Download
memory/4820-7-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/4820-1-0x00000000032F0000-0x00000000033F0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads