tofsee | c980f397ea8ed1320a3cb81a5e347bd60794bd54e2d7348aee8a7adea1b1beb4

General

Target

77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe
Size

142KB
MD5

77dd2e67ae3a0d69f2c7b8d8619e9d9d
SHA1

4736ebc4bcc6dea80889ca46575a0d9d10ee05f9
SHA256

c980f397ea8ed1320a3cb81a5e347bd60794bd54e2d7348aee8a7adea1b1beb4
SHA512

deb8ad9fd4693cb01d158a416105345c8a6e62690654bacfcc49947a684c87167618d1bfec1df83701d4e388ad00490771bf3ed47cc5d953b167fd0c6cbf2b5c
SSDEEP

3072:y9Tpm/Wn628w6rzTkYfiL2+jKfgi4m5nuGFU6W6WN06QUj:teizwFLnKP46uC2

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4904 netsh.exe

pid	process
4904	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lwnqfbta\ImagePath = "C:\\Windows\\SysWOW64\\lwnqfbta\\hgqhbzoa.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4508 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

hgqhbzoa.exe

pid process

4924 hgqhbzoa.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hgqhbzoa.exe

description pid process target process

PID 4924 set thread context of 4508 4924 hgqhbzoa.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1544 sc.exe
3508 sc.exe
412 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4508	svchost.exe

pid	process
4924	hgqhbzoa.exe

description	pid	process	target process
PID 4924 set thread context of 4508	4924	hgqhbzoa.exe	svchost.exe

pid	process
1544	sc.exe
3508	sc.exe
412	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exehgqhbzoa.exe

description	pid	process	target process
PID 4736 wrote to memory of 1760	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 1760	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 1760	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 1088	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 1088	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 1088	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 412	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 412	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 412	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 1544	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 1544	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 1544	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 3508	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 3508	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 3508	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	sc.exe
PID 4736 wrote to memory of 4904	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	netsh.exe
PID 4736 wrote to memory of 4904	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	netsh.exe
PID 4736 wrote to memory of 4904	4736	77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe	netsh.exe
PID 4924 wrote to memory of 4508	4924	hgqhbzoa.exe	svchost.exe
PID 4924 wrote to memory of 4508	4924	hgqhbzoa.exe	svchost.exe
PID 4924 wrote to memory of 4508	4924	hgqhbzoa.exe	svchost.exe
PID 4924 wrote to memory of 4508	4924	hgqhbzoa.exe	svchost.exe
PID 4924 wrote to memory of 4508	4924	hgqhbzoa.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lwnqfbta\
2⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hgqhbzoa.exe" C:\Windows\SysWOW64\lwnqfbta\
2⤵
PID:1088

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create lwnqfbta binPath= "C:\Windows\SysWOW64\lwnqfbta\hgqhbzoa.exe /d\"C:\Users\Admin\AppData\Local\Temp\77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:412

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description lwnqfbta "wifi internet conection"
2⤵
- Launches sc.exe
PID:1544

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lwnqfbta
2⤵
- Launches sc.exe
PID:3508

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4904

C:\Windows\SysWOW64\lwnqfbta\hgqhbzoa.exe
C:\Windows\SysWOW64\lwnqfbta\hgqhbzoa.exe /d"C:\Users\Admin\AppData\Local\Temp\77dd2e67ae3a0d69f2c7b8d8619e9d9d_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hgqhbzoa.exe
Filesize
10.6MB

MD5
75cf8ed0107282e61eb029e501dddc70

SHA1
91555ca95b94671ec9f9bedf323f7313d3d6ffdf

SHA256
4867571d447cd49dace320b07f5c4ad45cde1b89e88497d35e2b92bacf1afc90

SHA512
5bcb1809cfce4958ecb8c32fde4961bd8581ae73c2990f2ae225d74ecfafbcb665214495eaa626212ef7a44c1d9f03ee7b6d2c4efc9bd8123d8c014f41220f59

Download Submit
memory/4508-8-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4508-12-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4508-13-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/4508-14-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4736-1-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4736-2-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4736-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4736-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4924-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4924-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads