tofsee | 9c6f6cff204e5bc37c30d879e38c328d44a15040deab3fccf7d0b49bd3d0a24d

General

Target

ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe
Size

10.9MB
MD5

ff075df77fab0160980f37ef43349a38
SHA1

e52baf5a86caa2e97cfa1523f1d33c9ae146e2de
SHA256

9c6f6cff204e5bc37c30d879e38c328d44a15040deab3fccf7d0b49bd3d0a24d
SHA512

f4c0ee4fcfe5ecc8c87052164d9fb0fbfe9abafb47839a8e79b1d06e971904d5205d904790c0b425e0929a285c11b252b98cb4a1d2a3ddc3a220a1b32a503af8
SSDEEP

24576:ijDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBH:inh

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2456 netsh.exe

pid	process
2456	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fbvkzkpz\ImagePath = "C:\\Windows\\SysWOW64\\fbvkzkpz\\nfkkrjdh.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

nfkkrjdh.exe

pid process

4388 nfkkrjdh.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nfkkrjdh.exe

description pid process target process

PID 4388 set thread context of 4592 4388 nfkkrjdh.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4696 sc.exe
4496 sc.exe
1456 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4388	nfkkrjdh.exe

description	pid	process	target process
PID 4388 set thread context of 4592	4388	nfkkrjdh.exe	svchost.exe

pid	process
4696	sc.exe
4496	sc.exe
1456	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ff075df77fab0160980f37ef43349a38_JaffaCakes118.exenfkkrjdh.exe

description	pid	process	target process
PID 2220 wrote to memory of 1264	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 1264	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 1264	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 4272	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 4272	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 4272	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 1456	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 1456	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 1456	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 4696	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 4696	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 4696	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 4496	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 4496	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 4496	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	sc.exe
PID 2220 wrote to memory of 2456	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	netsh.exe
PID 2220 wrote to memory of 2456	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	netsh.exe
PID 2220 wrote to memory of 2456	2220	ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe	netsh.exe
PID 4388 wrote to memory of 4592	4388	nfkkrjdh.exe	svchost.exe
PID 4388 wrote to memory of 4592	4388	nfkkrjdh.exe	svchost.exe
PID 4388 wrote to memory of 4592	4388	nfkkrjdh.exe	svchost.exe
PID 4388 wrote to memory of 4592	4388	nfkkrjdh.exe	svchost.exe
PID 4388 wrote to memory of 4592	4388	nfkkrjdh.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fbvkzkpz\
2⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nfkkrjdh.exe" C:\Windows\SysWOW64\fbvkzkpz\
2⤵
PID:4272

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create fbvkzkpz binPath= "C:\Windows\SysWOW64\fbvkzkpz\nfkkrjdh.exe /d\"C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1456

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description fbvkzkpz "wifi internet conection"
2⤵
- Launches sc.exe
PID:4696

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fbvkzkpz
2⤵
- Launches sc.exe
PID:4496

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2456

C:\Windows\SysWOW64\fbvkzkpz\nfkkrjdh.exe
C:\Windows\SysWOW64\fbvkzkpz\nfkkrjdh.exe /d"C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nfkkrjdh.exe

Filesize
11.6MB

MD5
2cb4b9b69c22158bda989e7d072825f3

SHA1
8f65446ef964ac757ea583ac56a3d827066e9179

SHA256
df308b8589eeca8fd5eee6d9f9d9806016c78afdbfbf7d4a9c3edd58b4adcd27

SHA512
2ed7a6e1019b109c37001c9994a5920de852494a4c9852ecc64d5c5cc51ff1df163390511bedd930e5380b087c7ce6a0f3b686bccf921998771cc47a492c1616

Download Submit
memory/2220-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

Filesize
76KB

Download
memory/2220-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2220-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2220-22-0x00000000021B0000-0x00000000021C3000-memory.dmp

Filesize
76KB

Download
memory/2220-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2220-21-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/4388-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4388-8-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/4388-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4592-10-0x0000000000E40000-0x0000000000E55000-memory.dmp

Filesize
84KB

Download
memory/4592-16-0x0000000000E40000-0x0000000000E55000-memory.dmp

Filesize
84KB

Download
memory/4592-15-0x0000000000E40000-0x0000000000E55000-memory.dmp

Filesize
84KB

Download
memory/4592-13-0x0000000000E40000-0x0000000000E55000-memory.dmp

Filesize
84KB

Download
memory/4592-25-0x0000000000E40000-0x0000000000E55000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads