tofsee | 57c5476b2f41ec87a6b74153c52b442d47172ad8f59a578e4ac6e902dec3be3f

General

Target

fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe
Size

10.4MB
MD5

fc3bb27a0cf68b519a1ff98126da4083
SHA1

d52434e6d7326478e4d2931b379ed30c31ead569
SHA256

57c5476b2f41ec87a6b74153c52b442d47172ad8f59a578e4ac6e902dec3be3f
SHA512

8fded19f127deaa5d52d8c88b89009ebf1626ada44556fcc50e9cd048c399c31d89668232db2790afbbbf0072cb5806a7f00e92391c0815f39211cbf9c7ffcdc
SSDEEP

3072:EOsUA8KZQ/IxsPVg4nkvzaHWgSjqdF0w2Uyopz9ZeCqJXXfehv1Ijoxw9xkaaaaK:eUA8GV2e4nYWHEjqPt9cCqxmhv1pxQ

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2740 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

ndykequm.exe

pid process

2460 ndykequm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ndykequm.exe

description pid process target process

PID 2460 set thread context of 2828 2460 ndykequm.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2664 sc.exe
2652 sc.exe
2868 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2740	netsh.exe

pid	process
2460	ndykequm.exe

description	pid	process	target process
PID 2460 set thread context of 2828	2460	ndykequm.exe	svchost.exe

pid	process
2664	sc.exe
2652	sc.exe
2868	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exendykequm.exe

description	pid	process	target process
PID 2976 wrote to memory of 2856	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2856	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2856	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2856	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2128	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2128	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2128	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2128	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2664	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2664	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2664	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2664	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2652	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2652	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2652	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2652	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2868	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2868	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2868	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2868	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	sc.exe
PID 2976 wrote to memory of 2740	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	netsh.exe
PID 2976 wrote to memory of 2740	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	netsh.exe
PID 2976 wrote to memory of 2740	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	netsh.exe
PID 2976 wrote to memory of 2740	2976	fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe	netsh.exe
PID 2460 wrote to memory of 2828	2460	ndykequm.exe	svchost.exe
PID 2460 wrote to memory of 2828	2460	ndykequm.exe	svchost.exe
PID 2460 wrote to memory of 2828	2460	ndykequm.exe	svchost.exe
PID 2460 wrote to memory of 2828	2460	ndykequm.exe	svchost.exe
PID 2460 wrote to memory of 2828	2460	ndykequm.exe	svchost.exe
PID 2460 wrote to memory of 2828	2460	ndykequm.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qzybqyld\
2⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ndykequm.exe" C:\Windows\SysWOW64\qzybqyld\
2⤵
PID:2128

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qzybqyld binPath= "C:\Windows\SysWOW64\qzybqyld\ndykequm.exe /d\"C:\Users\Admin\AppData\Local\Temp\fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2664

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qzybqyld "wifi internet conection"
2⤵
- Launches sc.exe
PID:2652

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qzybqyld
2⤵
- Launches sc.exe
PID:2868

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2740

C:\Windows\SysWOW64\qzybqyld\ndykequm.exe
C:\Windows\SysWOW64\qzybqyld\ndykequm.exe /d"C:\Users\Admin\AppData\Local\Temp\fc3bb27a0cf68b519a1ff98126da4083_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2828

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndykequm.exe
Filesize
14.0MB

MD5
eb434c604bc873bb4d831bb43d0074bc

SHA1
5fa0e86e304899c49e0e130666546e07ef160bc7

SHA256
ff8cba3acc79553990f02fc7be37255d110849d8441c55f3ff6e579d413e184b

SHA512
f607cd3c6463fc08b852302c310cc7ca3ee19eda07f73f5e740758bc58cc4cdcfef290b8738013455f0c9a8b274133f33d954c98c253f2714d0cda126e9adfc2

Download Submit
memory/2460-9-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/2460-10-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/2460-16-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/2828-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2828-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2976-1-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2976-3-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2976-4-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/2976-8-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing