tofsee | 5ff58c63e54e4bbbc6b4ec1aff3abb6275f8692a9f42a25dc9fcec70438a6bc6

General

Target

fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe
Size

11.8MB
MD5

fff0aab4de88fa3503e16290699ea84b
SHA1

9b6879a810a5f8609898f8f552067a237b67912b
SHA256

5ff58c63e54e4bbbc6b4ec1aff3abb6275f8692a9f42a25dc9fcec70438a6bc6
SHA512

3587ec145d1503bc06673592da1feca0e9d9fae5c6a968f2ee3d0ad37559a132a789d3e43205921413c5159c8aeac8789a4af0234ba894f74a04e9c436711c6e
SSDEEP

98304:+NWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllx:MW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2328 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

nvkobzii.exe

pid process

2688 nvkobzii.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nvkobzii.exe

description pid process target process

PID 2688 set thread context of 2416 2688 nvkobzii.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2812 sc.exe
3008 sc.exe
2732 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2328	netsh.exe

pid	process
2688	nvkobzii.exe

description	pid	process	target process
PID 2688 set thread context of 2416	2688	nvkobzii.exe	svchost.exe

pid	process
2812	sc.exe
3008	sc.exe
2732	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exenvkobzii.exe

description	pid	process	target process
PID 2324 wrote to memory of 2512	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2512	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2512	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2512	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2644	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2644	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2644	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2644	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2812	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2812	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2812	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2812	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 3008	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 3008	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 3008	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 3008	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2732	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2732	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2732	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2732	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	sc.exe
PID 2324 wrote to memory of 2328	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	netsh.exe
PID 2324 wrote to memory of 2328	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	netsh.exe
PID 2324 wrote to memory of 2328	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	netsh.exe
PID 2324 wrote to memory of 2328	2324	fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe	netsh.exe
PID 2688 wrote to memory of 2416	2688	nvkobzii.exe	svchost.exe
PID 2688 wrote to memory of 2416	2688	nvkobzii.exe	svchost.exe
PID 2688 wrote to memory of 2416	2688	nvkobzii.exe	svchost.exe
PID 2688 wrote to memory of 2416	2688	nvkobzii.exe	svchost.exe
PID 2688 wrote to memory of 2416	2688	nvkobzii.exe	svchost.exe
PID 2688 wrote to memory of 2416	2688	nvkobzii.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wpehvajt\
2⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nvkobzii.exe" C:\Windows\SysWOW64\wpehvajt\
2⤵
PID:2644

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create wpehvajt binPath= "C:\Windows\SysWOW64\wpehvajt\nvkobzii.exe /d\"C:\Users\Admin\AppData\Local\Temp\fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2812

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description wpehvajt "wifi internet conection"
2⤵
- Launches sc.exe
PID:3008

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start wpehvajt
2⤵
- Launches sc.exe
PID:2732

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2328

C:\Windows\SysWOW64\wpehvajt\nvkobzii.exe
C:\Windows\SysWOW64\wpehvajt\nvkobzii.exe /d"C:\Users\Admin\AppData\Local\Temp\fff0aab4de88fa3503e16290699ea84b_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2416

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nvkobzii.exe
Filesize
11.8MB

MD5
fff0aab4de88fa3503e16290699ea84b

SHA1
9b6879a810a5f8609898f8f552067a237b67912b

SHA256
5ff58c63e54e4bbbc6b4ec1aff3abb6275f8692a9f42a25dc9fcec70438a6bc6

SHA512
3587ec145d1503bc06673592da1feca0e9d9fae5c6a968f2ee3d0ad37559a132a789d3e43205921413c5159c8aeac8789a4af0234ba894f74a04e9c436711c6e

Download Submit
memory/2324-1-0x0000000003800000-0x0000000003900000-memory.dmp

Filesize
1024KB

Download
memory/2324-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2324-4-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/2324-7-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/2324-9-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2416-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2416-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2688-10-0x0000000003B10000-0x0000000003C10000-memory.dmp

Filesize
1024KB

Download
memory/2688-16-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/2688-17-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download

Analysis

Sharing