tofsee | 980694e35dbab6bfc383714316873fb3e9288df0df617404b4f83c8b6bdb79c8

General

Target

174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe
Size

142KB
MD5

174926665eeacc8ca38196b53f1cb5bb
SHA1

c7c0728973c935bdd74a4819f600bab970a0a51c
SHA256

980694e35dbab6bfc383714316873fb3e9288df0df617404b4f83c8b6bdb79c8
SHA512

3afe95fdc6ddbe6f0bb85643df28f70d4a972e7362eb56baa7d835b08a4f9fcaf2028b84efd11975c257d1cc15c3eaee4ce7ddd2f120fbf96560f9faba9b336b
SSDEEP

3072:9X3VXWiUmL3QMSSoJvnra4BcwfMq/eTW8qz8x:iKboJDDBcwt/vQ

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2492 netsh.exe

pid	process
2492	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ixzeanec\ImagePath = "C:\\Windows\\SysWOW64\\ixzeanec\\bkautsbr.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4752 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

bkautsbr.exe

pid process

4004 bkautsbr.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bkautsbr.exe

description pid process target process

PID 4004 set thread context of 4752 4004 bkautsbr.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3636 sc.exe
1716 sc.exe
1744 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4752	svchost.exe

pid	process
4004	bkautsbr.exe

description	pid	process	target process
PID 4004 set thread context of 4752	4004	bkautsbr.exe	svchost.exe

pid	process
3636	sc.exe
1716	sc.exe
1744	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exebkautsbr.exe

description	pid	process	target process
PID 1396 wrote to memory of 2792	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	cmd.exe
PID 1396 wrote to memory of 2792	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	cmd.exe
PID 1396 wrote to memory of 2792	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	cmd.exe
PID 1396 wrote to memory of 2328	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	cmd.exe
PID 1396 wrote to memory of 2328	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	cmd.exe
PID 1396 wrote to memory of 2328	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	cmd.exe
PID 1396 wrote to memory of 3636	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 3636	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 3636	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 1716	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 1716	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 1716	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 1744	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 1744	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 1744	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	sc.exe
PID 1396 wrote to memory of 2492	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	netsh.exe
PID 1396 wrote to memory of 2492	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	netsh.exe
PID 1396 wrote to memory of 2492	1396	174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe	netsh.exe
PID 4004 wrote to memory of 4752	4004	bkautsbr.exe	svchost.exe
PID 4004 wrote to memory of 4752	4004	bkautsbr.exe	svchost.exe
PID 4004 wrote to memory of 4752	4004	bkautsbr.exe	svchost.exe
PID 4004 wrote to memory of 4752	4004	bkautsbr.exe	svchost.exe
PID 4004 wrote to memory of 4752	4004	bkautsbr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ixzeanec\
2⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bkautsbr.exe" C:\Windows\SysWOW64\ixzeanec\
2⤵
PID:2328

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ixzeanec binPath= "C:\Windows\SysWOW64\ixzeanec\bkautsbr.exe /d\"C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:3636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ixzeanec "wifi internet conection"
2⤵
- Launches sc.exe
PID:1716

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ixzeanec
2⤵
- Launches sc.exe
PID:1744

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2492

C:\Windows\SysWOW64\ixzeanec\bkautsbr.exe
C:\Windows\SysWOW64\ixzeanec\bkautsbr.exe /d"C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bkautsbr.exe
Filesize
12.4MB

MD5
94a6b09b3da0db94609b08eb2337d7ce

SHA1
99b9742c7788e14f3085769cc2c3927f9d3a598b

SHA256
34297d3804e4048e25bc208b173e96ab9ac807541edc415f5438099280a4e81d

SHA512
50a20923432721098417ba175850de7dddf79aad73f4634218250ef0ec7185465f2600d564c06e6848e6017addd4a287c6d2e38347b94ea16bc3f27339bb1c7e

Download Submit
memory/1396-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1396-2-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1396-1-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1396-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4004-7-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/4004-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4004-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4752-9-0x0000000000850000-0x0000000000865000-memory.dmp

Filesize
84KB

Download
memory/4752-11-0x0000000000850000-0x0000000000865000-memory.dmp

Filesize
84KB

Download
memory/4752-13-0x0000000000850000-0x0000000000865000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads