tofsee | 7205337d6c5ab0aaf2ee3fdc3dc890d8a385e7eefc5115700c7034ddacad6826

General

Target

020356f14633236e606e969972babe31_JaffaCakes118.exe
Size

171KB
MD5

020356f14633236e606e969972babe31
SHA1

3e8ebc61aeaf8dabcc17e8fb630cb2c75b2d2405
SHA256

7205337d6c5ab0aaf2ee3fdc3dc890d8a385e7eefc5115700c7034ddacad6826
SHA512

5bf953ae11b152b3633514e924d461300194ae562bb63f1b22af46c61c9bdb69f72b8aa28e6c1127a98bdb6aecc0b4bde453e031aa6a36acdbf840af7db5b875
SSDEEP

3072:HQY5swdevhaGJVeYJi8LeDUGDQYUj5uF4qHrNFAvPLq/Ns:wNwLkyM0F5JF2jqls

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	020356f14633236e606e969972babe31_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

finek.exefinek.exe

pid process

4448 finek.exe
1808 finek.exe

pid	process
4448	finek.exe
1808	finek.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\finek.exe\" /r"	020356f14633236e606e969972babe31_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exefinek.exefinek.exe

description	pid	process	target process
PID 4940 set thread context of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4448 set thread context of 1808	4448	finek.exe	finek.exe
PID 1808 set thread context of 3316	1808	finek.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

944 3316 WerFault.exe svchost.exe

pid	pid_target	process	target process
944	3316	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

020356f14633236e606e969972babe31_JaffaCakes118.exe020356f14633236e606e969972babe31_JaffaCakes118.exefinek.exefinek.exe

description	pid	process	target process
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 4940 wrote to memory of 2588	4940	020356f14633236e606e969972babe31_JaffaCakes118.exe	020356f14633236e606e969972babe31_JaffaCakes118.exe
PID 2588 wrote to memory of 4448	2588	020356f14633236e606e969972babe31_JaffaCakes118.exe	finek.exe
PID 2588 wrote to memory of 4448	2588	020356f14633236e606e969972babe31_JaffaCakes118.exe	finek.exe
PID 2588 wrote to memory of 4448	2588	020356f14633236e606e969972babe31_JaffaCakes118.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 4448 wrote to memory of 1808	4448	finek.exe	finek.exe
PID 1808 wrote to memory of 3316	1808	finek.exe	svchost.exe
PID 1808 wrote to memory of 3316	1808	finek.exe	svchost.exe
PID 1808 wrote to memory of 3316	1808	finek.exe	svchost.exe
PID 1808 wrote to memory of 3316	1808	finek.exe	svchost.exe
PID 1808 wrote to memory of 3316	1808	finek.exe	svchost.exe
PID 2588 wrote to memory of 4984	2588	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe
PID 2588 wrote to memory of 4984	2588	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe
PID 2588 wrote to memory of 4984	2588	020356f14633236e606e969972babe31_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020356f14633236e606e969972babe31_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\finek.exe
"C:\Users\Admin\finek.exe" /r
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\finek.exe
"C:\Users\Admin\finek.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 320
6⤵
- Program crash
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1463.bat" "
3⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3316 -ip 3316
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1463.bat

Filesize
117B

MD5
fe6bdd24593bd0898c7135aeed49cccc

SHA1
fa278ae7b95b402f4d181d440974672b1dc4b84f

SHA256
61b9caecdbd3a2ac217adf1c671ce53f51375e1147d7f3e78d87ba5169d79071

SHA512
b693b87d0f6db69f1615f423086a97521a5dc48899eb03d276c60edeb5c26f07d5bd68cccc92ede1338f9f040088a8089912d80a2f842d011e503f2f15f54978

Download Submit
C:\Users\Admin\finek.exe

Filesize
171KB

MD5
020356f14633236e606e969972babe31

SHA1
3e8ebc61aeaf8dabcc17e8fb630cb2c75b2d2405

SHA256
7205337d6c5ab0aaf2ee3fdc3dc890d8a385e7eefc5115700c7034ddacad6826

SHA512
5bf953ae11b152b3633514e924d461300194ae562bb63f1b22af46c61c9bdb69f72b8aa28e6c1127a98bdb6aecc0b4bde453e031aa6a36acdbf840af7db5b875

Download Submit
memory/2588-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2588-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2588-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2588-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3316-13-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3316-18-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3316-27-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3316-28-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3316-29-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3316-30-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads