tofsee | 40ddfa5e9adf75169f553482db151abecf58134e1b80f2681f9528e85fb204c3

General

Target

91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe
Size

142KB
MD5

91e150cf143714919e8f076e28ffa0af
SHA1

9f77919f92363378b6910acec411b1d4b8fce86b
SHA256

40ddfa5e9adf75169f553482db151abecf58134e1b80f2681f9528e85fb204c3
SHA512

9aad4f50d92d14914d872852939f75c903f892b9ab0d761ee6f4bcea92ca7109b411b2564562b80a876b90de2a92370c3ccc85874939e24b2a281828f4cdad8a
SSDEEP

3072:PO8/FLfgq6rzTkYfiL2+jKfgi4m5nuGFU6W6WNU6b37:N94zwFLnKP46uC

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\huulgpiv = "0"	svchost.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2524 netsh.exe

pid	process
2524	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\huulgpiv\ImagePath = "C:\\Windows\\SysWOW64\\huulgpiv\\poypjhwi.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2672 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

poypjhwi.exe

pid process

2472 poypjhwi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

poypjhwi.exe

description pid process target process

PID 2472 set thread context of 2672 2472 poypjhwi.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2828 sc.exe
2816 sc.exe
2152 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2672	svchost.exe

pid	process
2472	poypjhwi.exe

description	pid	process	target process
PID 2472 set thread context of 2672	2472	poypjhwi.exe	svchost.exe

pid	process
2828	sc.exe
2816	sc.exe
2152	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exepoypjhwi.exe

description	pid	process	target process
PID 2284 wrote to memory of 2972	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 2972	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 2972	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 2972	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 3004	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 3004	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 3004	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 3004	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 2828	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2828	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2828	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2828	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2816	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2816	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2816	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2816	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2152	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2152	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2152	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2152	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	sc.exe
PID 2284 wrote to memory of 2524	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	netsh.exe
PID 2284 wrote to memory of 2524	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	netsh.exe
PID 2284 wrote to memory of 2524	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	netsh.exe
PID 2284 wrote to memory of 2524	2284	91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe	netsh.exe
PID 2472 wrote to memory of 2672	2472	poypjhwi.exe	svchost.exe
PID 2472 wrote to memory of 2672	2472	poypjhwi.exe	svchost.exe
PID 2472 wrote to memory of 2672	2472	poypjhwi.exe	svchost.exe
PID 2472 wrote to memory of 2672	2472	poypjhwi.exe	svchost.exe
PID 2472 wrote to memory of 2672	2472	poypjhwi.exe	svchost.exe
PID 2472 wrote to memory of 2672	2472	poypjhwi.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\huulgpiv\
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\poypjhwi.exe" C:\Windows\SysWOW64\huulgpiv\
  2⤵
  PID:3004
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create huulgpiv binPath= "C:\Windows\SysWOW64\huulgpiv\poypjhwi.exe /d\"C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description huulgpiv "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start huulgpiv
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2524

C:\Windows\SysWOW64\huulgpiv\poypjhwi.exe
C:\Windows\SysWOW64\huulgpiv\poypjhwi.exe /d"C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\poypjhwi.exe

Filesize
14.2MB

MD5
39bc1100d3940ee21584098e89811423

SHA1
5a09920c9af40c3975f8aac3c4a589d32aa29fd7

SHA256
eabec44835c76adb7f8c22ae113592dd9499256125f86b88fe5d8201ab2394c7

SHA512
8ba261c7923b6f235063343eca6c6f2863c9eb6efd19388914c10e707fa7082121f5cff2cf289dd78e1cee051c586e2c24aab8c492cdf31e2900bb7d8c3dd53d

Download Submit
memory/2284-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2284-2-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2284-1-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2284-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2472-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2472-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2672-8-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/2672-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-13-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/2672-11-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/2672-15-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads