tofsee | d8369336f4c5bab691e2fc846c783ac565c2a935a43ae3d982847cf8321f3a97

General

Target

ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe
Size

11.8MB
MD5

ff7abacc6eb717ab0762f0b2f77bc28a
SHA1

4f52a940cfd2ec6e553f2e1a8a736c990bd65a40
SHA256

d8369336f4c5bab691e2fc846c783ac565c2a935a43ae3d982847cf8321f3a97
SHA512

49ed6f215b007569122e2be67b3e1864656cf0038c127e2035fe1ea6c26d7b6be4f074f7cefdf93892eff8821f4c121d4b69450d6dccf567df953c01c4a49619
SSDEEP

196608:wV8YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYf:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1688 netsh.exe

pid	process
1688	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tmdfoegq\ImagePath = "C:\\Windows\\SysWOW64\\tmdfoegq\\tqizvmig.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3332 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

tqizvmig.exe

pid process

1452 tqizvmig.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tqizvmig.exe

description pid process target process

PID 1452 set thread context of 3332 1452 tqizvmig.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3960 sc.exe
4336 sc.exe
2060 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2544 4760 WerFault.exe ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe
3036 1452 WerFault.exe tqizvmig.exe

pid	process
3332	svchost.exe

pid	process
1452	tqizvmig.exe

description	pid	process	target process
PID 1452 set thread context of 3332	1452	tqizvmig.exe	svchost.exe

pid	process
3960	sc.exe
4336	sc.exe
2060	sc.exe

pid	pid_target	process	target process
2544	4760	WerFault.exe	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe
3036	1452	WerFault.exe	tqizvmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exetqizvmig.exe

description	pid	process	target process
PID 4760 wrote to memory of 2080	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	cmd.exe
PID 4760 wrote to memory of 2080	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	cmd.exe
PID 4760 wrote to memory of 2080	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	cmd.exe
PID 4760 wrote to memory of 3536	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	cmd.exe
PID 4760 wrote to memory of 3536	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	cmd.exe
PID 4760 wrote to memory of 3536	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	cmd.exe
PID 4760 wrote to memory of 4336	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 4336	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 4336	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 2060	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 2060	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 2060	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 3960	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 3960	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 3960	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	sc.exe
PID 4760 wrote to memory of 1688	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	netsh.exe
PID 4760 wrote to memory of 1688	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	netsh.exe
PID 4760 wrote to memory of 1688	4760	ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe	netsh.exe
PID 1452 wrote to memory of 3332	1452	tqizvmig.exe	svchost.exe
PID 1452 wrote to memory of 3332	1452	tqizvmig.exe	svchost.exe
PID 1452 wrote to memory of 3332	1452	tqizvmig.exe	svchost.exe
PID 1452 wrote to memory of 3332	1452	tqizvmig.exe	svchost.exe
PID 1452 wrote to memory of 3332	1452	tqizvmig.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tmdfoegq\
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tqizvmig.exe" C:\Windows\SysWOW64\tmdfoegq\
2⤵
PID:3536

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tmdfoegq binPath= "C:\Windows\SysWOW64\tmdfoegq\tqizvmig.exe /d\"C:\Users\Admin\AppData\Local\Temp\ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4336

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tmdfoegq "wifi internet conection"
2⤵
- Launches sc.exe
PID:2060

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tmdfoegq
2⤵
- Launches sc.exe
PID:3960

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 572
2⤵
- Program crash
PID:2544

C:\Windows\SysWOW64\tmdfoegq\tqizvmig.exe
C:\Windows\SysWOW64\tmdfoegq\tqizvmig.exe /d"C:\Users\Admin\AppData\Local\Temp\ff7abacc6eb717ab0762f0b2f77bc28a_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 512
2⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4760 -ip 4760
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1452 -ip 1452
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tqizvmig.exe

Filesize
12.4MB

MD5
0d909e5829030b219385448a28bf8728

SHA1
67f4d15f889ff71e29c51168ad493bad98bd1832

SHA256
6b67c9709530cb19fd6ae66b7b95f96bd4ed8022440bf2ecb921f49eccadd8b2

SHA512
8b08b9fdba0b60001116ff4566737c34485e7fc22141eee7db7464ebbe03635731cca212c5f339de1cfd599471affb9b75bee542a07f58dacbbd424f25f06fb5

Download Submit
memory/1452-10-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1452-12-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1452-18-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/3332-11-0x0000000000FA0000-0x0000000000FB5000-memory.dmp

Filesize
84KB

Download
memory/3332-15-0x0000000000FA0000-0x0000000000FB5000-memory.dmp

Filesize
84KB

Download
memory/3332-16-0x0000000000FA0000-0x0000000000FB5000-memory.dmp

Filesize
84KB

Download
memory/3332-17-0x0000000000FA0000-0x0000000000FB5000-memory.dmp

Filesize
84KB

Download
memory/3332-19-0x0000000000FA0000-0x0000000000FB5000-memory.dmp

Filesize
84KB

Download
memory/4760-4-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/4760-2-0x0000000002630000-0x0000000002643000-memory.dmp

Filesize
76KB

Download
memory/4760-7-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/4760-8-0x0000000002630000-0x0000000002643000-memory.dmp

Filesize
76KB

Download
memory/4760-1-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads