tofsee | e5e6cb06a53338127e7bdd9d98203b2e4b736d5ad98da9e2db178a8a26582730

General

Target

04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe
Size

12.2MB
MD5

04d88bfc300b49a0e992b3dbcd2354d8
SHA1

eef78b4bae9d140a932d3fcb570e1f90b961b521
SHA256

e5e6cb06a53338127e7bdd9d98203b2e4b736d5ad98da9e2db178a8a26582730
SHA512

29f0f4f897e7181d3956349d64c6e03ae441e35f597735d093f30134e08a89d46c398417c30359b1a263138f6d9645b80fde0206862669444431c149e77f0e79
SSDEEP

196608:nE/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvH:nE

Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gpqdmjtz = "0"	svchost.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2656 netsh.exe

pid	process
2656	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gpqdmjtz\ImagePath = "C:\\Windows\\SysWOW64\\gpqdmjtz\\gnzmvijd.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3024 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

gnzmvijd.exe

pid process

2604 gnzmvijd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gnzmvijd.exe

description pid process target process

PID 2604 set thread context of 3024 2604 gnzmvijd.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2956 sc.exe
2728 sc.exe
2920 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3024	svchost.exe

pid	process
2604	gnzmvijd.exe

description	pid	process	target process
PID 2604 set thread context of 3024	2604	gnzmvijd.exe	svchost.exe

pid	process
2956	sc.exe
2728	sc.exe
2920	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exegnzmvijd.exe

description	pid	process	target process
PID 2944 wrote to memory of 2600	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2600	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2600	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2600	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2956	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2956	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2956	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2956	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2728	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2728	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2728	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2728	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2920	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2920	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2920	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2920	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 2944 wrote to memory of 2656	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 2944 wrote to memory of 2656	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 2944 wrote to memory of 2656	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 2944 wrote to memory of 2656	2944	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 2604 wrote to memory of 3024	2604	gnzmvijd.exe	svchost.exe
PID 2604 wrote to memory of 3024	2604	gnzmvijd.exe	svchost.exe
PID 2604 wrote to memory of 3024	2604	gnzmvijd.exe	svchost.exe
PID 2604 wrote to memory of 3024	2604	gnzmvijd.exe	svchost.exe
PID 2604 wrote to memory of 3024	2604	gnzmvijd.exe	svchost.exe
PID 2604 wrote to memory of 3024	2604	gnzmvijd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gpqdmjtz\
2⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gnzmvijd.exe" C:\Windows\SysWOW64\gpqdmjtz\
2⤵
PID:2684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gpqdmjtz binPath= "C:\Windows\SysWOW64\gpqdmjtz\gnzmvijd.exe /d\"C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2956

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description gpqdmjtz "wifi internet conection"
2⤵
- Launches sc.exe
PID:2728

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gpqdmjtz
2⤵
- Launches sc.exe
PID:2920

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2656

C:\Windows\SysWOW64\gpqdmjtz\gnzmvijd.exe
C:\Windows\SysWOW64\gpqdmjtz\gnzmvijd.exe /d"C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gnzmvijd.exe

Filesize
13.3MB

MD5
4b04316f1e037ff6d27dbdadd1d73299

SHA1
c339c19c76caff9493bb4dd6f17c0bc1b24da5f0

SHA256
f185f3455558525eef560fae038ee3a51a349c690bbdd8638b0676e89dd56372

SHA512
757be18412e69931621ee6550eaec60492d07d1cc75976035d5610818bef284595a8897dafbd48970a48e828f65643d6cfef55a846a02c228c4979e8fa1a6333

Download Submit
memory/2604-15-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2944-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2944-1-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/2944-6-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2944-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2944-7-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2944-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/3024-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/3024-17-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/3024-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/3024-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads