tofsee | 7205337d6c5ab0aaf2ee3fdc3dc890d8a385e7eefc5115700c7034ddacad6826

General

Target

020356f14633236e606e969972babe31_JaffaCakes118.exe
Size

171KB
MD5

020356f14633236e606e969972babe31
SHA1

3e8ebc61aeaf8dabcc17e8fb630cb2c75b2d2405
SHA256

7205337d6c5ab0aaf2ee3fdc3dc890d8a385e7eefc5115700c7034ddacad6826
SHA512

5bf953ae11b152b3633514e924d461300194ae562bb63f1b22af46c61c9bdb69f72b8aa28e6c1127a98bdb6aecc0b4bde453e031aa6a36acdbf840af7db5b875
SSDEEP

3072:HQY5swdevhaGJVeYJi8LeDUGDQYUj5uF4qHrNFAvPLq/Ns:wNwLkyM0F5JF2jqls

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ukqp.exeukqp.exe

pid process

2288 ukqp.exe
1096 ukqp.exe
Loads dropped DLL 2 IoCs

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exe

pid process

2788 020356f14633236e606e969972babe31_JaffaCakes118.exe
2788 020356f14633236e606e969972babe31_JaffaCakes118.exe

pid	process
2708	cmd.exe

pid	process
2288	ukqp.exe
1096	ukqp.exe

pid	process
2788	020356f14633236e606e969972babe31_JaffaCakes118.exe
2788	020356f14633236e606e969972babe31_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ukqp.exe\" /r"	020356f14633236e606e969972babe31_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exeukqp.exeukqp.exe

description	pid	process	target process
PID 2188 set thread context of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2288 set thread context of 1096	2288	ukqp.exe	ukqp.exe
PID 1096 set thread context of 2760	1096	ukqp.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exe020356f14633236e606e969972babe31_JaffaCakes118.exeukqp.exeukqp.exe

description	pid	process	target process
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2188 wrote to memory of 2788	2188	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2788 wrote to memory of 2288	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	ukqp.exe
PID 2788 wrote to memory of 2288	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	ukqp.exe
PID 2788 wrote to memory of 2288	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	ukqp.exe
PID 2788 wrote to memory of 2288	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 2288 wrote to memory of 1096	2288	ukqp.exe	ukqp.exe
PID 1096 wrote to memory of 2760	1096	ukqp.exe	svchost.exe
PID 1096 wrote to memory of 2760	1096	ukqp.exe	svchost.exe
PID 1096 wrote to memory of 2760	1096	ukqp.exe	svchost.exe
PID 1096 wrote to memory of 2760	1096	ukqp.exe	svchost.exe
PID 1096 wrote to memory of 2760	1096	ukqp.exe	svchost.exe
PID 1096 wrote to memory of 2760	1096	ukqp.exe	svchost.exe
PID 2788 wrote to memory of 2708	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe
PID 2788 wrote to memory of 2708	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe
PID 2788 wrote to memory of 2708	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe
PID 2788 wrote to memory of 2708	2788	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\ukqp.exe
"C:\Users\Admin\ukqp.exe" /r
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\ukqp.exe
"C:\Users\Admin\ukqp.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7620.bat" "
3⤵
- Deletes itself
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7620.bat

Filesize
117B

MD5
fe6bdd24593bd0898c7135aeed49cccc

SHA1
fa278ae7b95b402f4d181d440974672b1dc4b84f

SHA256
61b9caecdbd3a2ac217adf1c671ce53f51375e1147d7f3e78d87ba5169d79071

SHA512
b693b87d0f6db69f1615f423086a97521a5dc48899eb03d276c60edeb5c26f07d5bd68cccc92ede1338f9f040088a8089912d80a2f842d011e503f2f15f54978

Download Submit
\Users\Admin\ukqp.exe

Filesize
171KB

MD5
020356f14633236e606e969972babe31

SHA1
3e8ebc61aeaf8dabcc17e8fb630cb2c75b2d2405

SHA256
7205337d6c5ab0aaf2ee3fdc3dc890d8a385e7eefc5115700c7034ddacad6826

SHA512
5bf953ae11b152b3633514e924d461300194ae562bb63f1b22af46c61c9bdb69f72b8aa28e6c1127a98bdb6aecc0b4bde453e031aa6a36acdbf840af7db5b875

Download Submit
memory/1096-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2760-50-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2760-46-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2760-42-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2760-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-57-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2788-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads