tofsee | 87c6ef971a71bfe43bdfad91943ccfa5be1c895b19a1ae647fa2113664b4d38c

General

Target

82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
Size

142KB
MD5

82937ed0681d989a3200fed04a37fc57
SHA1

eaee5070f8cbbea37ea0fc03db6cff5380a2b570
SHA256

87c6ef971a71bfe43bdfad91943ccfa5be1c895b19a1ae647fa2113664b4d38c
SHA512

af5e4a3bd849c72171bf1b79c47577ab490ae66a7f93f73fbca0297cc876445489c23bc64d492013f59b6669c4bff10168313e8682a4c1c37caeed5a3867371e
SSDEEP

3072:FN7Re/+fHs+SSoJvnra4BcwfMq/eTW8qrU9f:AW5oJDDBcwt/v6

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2020 netsh.exe

pid	process
2020	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vgyanlzn\ImagePath = "C:\\Windows\\SysWOW64\\vgyanlzn\\aagcqqwo.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4344 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

aagcqqwo.exe

pid process

4944 aagcqqwo.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

aagcqqwo.exe

description pid process target process

PID 4944 set thread context of 4344 4944 aagcqqwo.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4596 sc.exe
5092 sc.exe
2528 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4344	svchost.exe

pid	process
4944	aagcqqwo.exe

description	pid	process	target process
PID 4944 set thread context of 4344	4944	aagcqqwo.exe	svchost.exe

pid	process
4596	sc.exe
5092	sc.exe
2528	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exeaagcqqwo.exe

description	pid	process	target process
PID 2804 wrote to memory of 4968	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 4968	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 4968	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 4036	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 4036	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 4036	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 5092	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 5092	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 5092	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 2528	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 2528	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 2528	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 4596	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 4596	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 4596	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	sc.exe
PID 2804 wrote to memory of 2020	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	netsh.exe
PID 2804 wrote to memory of 2020	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	netsh.exe
PID 2804 wrote to memory of 2020	2804	82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe	netsh.exe
PID 4944 wrote to memory of 4344	4944	aagcqqwo.exe	svchost.exe
PID 4944 wrote to memory of 4344	4944	aagcqqwo.exe	svchost.exe
PID 4944 wrote to memory of 4344	4944	aagcqqwo.exe	svchost.exe
PID 4944 wrote to memory of 4344	4944	aagcqqwo.exe	svchost.exe
PID 4944 wrote to memory of 4344	4944	aagcqqwo.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vgyanlzn\
2⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aagcqqwo.exe" C:\Windows\SysWOW64\vgyanlzn\
2⤵
PID:4036

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create vgyanlzn binPath= "C:\Windows\SysWOW64\vgyanlzn\aagcqqwo.exe /d\"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:5092

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description vgyanlzn "wifi internet conection"
2⤵
- Launches sc.exe
PID:2528

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start vgyanlzn
2⤵
- Launches sc.exe
PID:4596

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2020

C:\Windows\SysWOW64\vgyanlzn\aagcqqwo.exe
C:\Windows\SysWOW64\vgyanlzn\aagcqqwo.exe /d"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aagcqqwo.exe
Filesize
10.1MB

MD5
3e08f4211773f68ae550eed9953f1777

SHA1
5e51b5f8d42eefef5b16db8a2c5026ddff9e976c

SHA256
9c8297ac1a29538139aa9ad80a0683c9d42a56e62bd663911c0f56ed93ba6f94

SHA512
7aa5748d6a59d6a28a7d0eeb6e7c2a34e5494a8266f20cb96cc59502fb68748b132b1ec913aecf8af82bedf8ff98f3f54db4080cd78f660d043e80d9cb688bde

Download Submit
memory/2804-0-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-2-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2804-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4344-9-0x00000000010E0000-0x00000000010F5000-memory.dmp

Filesize
84KB

Download
memory/4344-12-0x00000000010E0000-0x00000000010F5000-memory.dmp

Filesize
84KB

Download
memory/4344-13-0x00000000010E0000-0x00000000010F5000-memory.dmp

Filesize
84KB

Download
memory/4944-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4944-8-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4944-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads