tofsee | 8268704a7d561c3b77519503ac645bee86e62991cb3844bc90e12515d468afcd

General

Target

041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe
Size

98KB
MD5

041f1786762e19b8f29423a19ca0498c
SHA1

5ccb39b1480d9c693b429f35b0f7f3e5afb0730e
SHA256

8268704a7d561c3b77519503ac645bee86e62991cb3844bc90e12515d468afcd
SHA512

41b565b4e981fca822f9c95ea65ef1da13386a199612609d94a4056cc04824abf03e70bdc5e7869ebd47dfc1ed36f5eda40dd665070b9b557e35cd07b726c6ec
SSDEEP

1536:2u7R8+GeLxCi1s95kG0tTZaNxas1Y29db/vIHduOfpkwMEkR:2u7RBtlHs9z0PSxJ1T1/vIAEyLEs

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rehtzo = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2428 netsh.exe

pid	process
2428	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rehtzo\ImagePath = "C:\\Windows\\SysWOW64\\rehtzo\\bwdazwst.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2452 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

bwdazwst.exe

pid process

2512 bwdazwst.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bwdazwst.exe

description pid process target process

PID 2512 set thread context of 2452 2512 bwdazwst.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2836 sc.exe
2052 sc.exe
2736 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2452	svchost.exe

pid	process
2512	bwdazwst.exe

description	pid	process	target process
PID 2512 set thread context of 2452	2512	bwdazwst.exe	svchost.exe

pid	process
2836	sc.exe
2052	sc.exe
2736	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exebwdazwst.exe

description	pid	process	target process
PID 2992 wrote to memory of 1956	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 1956	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 1956	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 1956	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2520	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2520	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2520	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2520	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2836	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2836	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2836	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2836	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2052	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2052	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2052	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2052	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2736	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2736	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2736	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2992 wrote to memory of 2736	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	sc.exe
PID 2512 wrote to memory of 2452	2512	bwdazwst.exe	svchost.exe
PID 2512 wrote to memory of 2452	2512	bwdazwst.exe	svchost.exe
PID 2512 wrote to memory of 2452	2512	bwdazwst.exe	svchost.exe
PID 2512 wrote to memory of 2452	2512	bwdazwst.exe	svchost.exe
PID 2512 wrote to memory of 2452	2512	bwdazwst.exe	svchost.exe
PID 2512 wrote to memory of 2452	2512	bwdazwst.exe	svchost.exe
PID 2992 wrote to memory of 2428	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	netsh.exe
PID 2992 wrote to memory of 2428	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	netsh.exe
PID 2992 wrote to memory of 2428	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	netsh.exe
PID 2992 wrote to memory of 2428	2992	041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rehtzo\
2⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bwdazwst.exe" C:\Windows\SysWOW64\rehtzo\
2⤵
PID:2520

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rehtzo binPath= "C:\Windows\SysWOW64\rehtzo\bwdazwst.exe /d\"C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2836

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rehtzo "wifi internet conection"
2⤵
- Launches sc.exe
PID:2052

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rehtzo
2⤵
- Launches sc.exe
PID:2736

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2428

C:\Windows\SysWOW64\rehtzo\bwdazwst.exe
C:\Windows\SysWOW64\rehtzo\bwdazwst.exe /d"C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

1

T1562.001

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwdazwst.exe
Filesize
12.2MB

MD5
725e6d8af0ca2832df99145f9fe701ab

SHA1
24594dc32ef3b44dac2717d1324401e0f418de07

SHA256
c668d5faf7a3bfb9ce533c8ee424d02f969c0374987222bc73776910238a8d86

SHA512
36457f23f9af312c7b76f068432ee094e01e5dd759fe812515a641b49f31954943197acca41c1723818deaf43a311af8042ea82215ab610559a12d210a6d6acb

Download Submit
memory/2452-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2452-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-7-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2452-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2452-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2512-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2992-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads