tofsee | e5e6cb06a53338127e7bdd9d98203b2e4b736d5ad98da9e2db178a8a26582730

General

Target

04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe
Size

12.2MB
MD5

04d88bfc300b49a0e992b3dbcd2354d8
SHA1

eef78b4bae9d140a932d3fcb570e1f90b961b521
SHA256

e5e6cb06a53338127e7bdd9d98203b2e4b736d5ad98da9e2db178a8a26582730
SHA512

29f0f4f897e7181d3956349d64c6e03ae441e35f597735d093f30134e08a89d46c398417c30359b1a263138f6d9645b80fde0206862669444431c149e77f0e79
SSDEEP

196608:nE/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvH:nE

Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3028 netsh.exe

pid	process
3028	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hohounka\ImagePath = "C:\\Windows\\SysWOW64\\hohounka\\bexfdfnx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

892 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

bexfdfnx.exe

pid process

1184 bexfdfnx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bexfdfnx.exe

description pid process target process

PID 1184 set thread context of 892 1184 bexfdfnx.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4128 sc.exe
3012 sc.exe
3488 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
892	svchost.exe

pid	process
1184	bexfdfnx.exe

description	pid	process	target process
PID 1184 set thread context of 892	1184	bexfdfnx.exe	svchost.exe

pid	process
4128	sc.exe
3012	sc.exe
3488	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4804 4992 WerFault.exe 04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe
3960 1184 WerFault.exe bexfdfnx.exe

pid	pid_target	process	target process
4804	4992	WerFault.exe	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe
3960	1184	WerFault.exe	bexfdfnx.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exebexfdfnx.exe

description	pid	process	target process
PID 4992 wrote to memory of 4272	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 4992 wrote to memory of 4272	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 4992 wrote to memory of 4272	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 4992 wrote to memory of 1356	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 4992 wrote to memory of 1356	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 4992 wrote to memory of 1356	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	cmd.exe
PID 4992 wrote to memory of 4128	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 4128	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 4128	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3012	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3012	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3012	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3488	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3488	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3488	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	sc.exe
PID 4992 wrote to memory of 3028	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 4992 wrote to memory of 3028	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 4992 wrote to memory of 3028	4992	04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe	netsh.exe
PID 1184 wrote to memory of 892	1184	bexfdfnx.exe	svchost.exe
PID 1184 wrote to memory of 892	1184	bexfdfnx.exe	svchost.exe
PID 1184 wrote to memory of 892	1184	bexfdfnx.exe	svchost.exe
PID 1184 wrote to memory of 892	1184	bexfdfnx.exe	svchost.exe
PID 1184 wrote to memory of 892	1184	bexfdfnx.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hohounka\
2⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bexfdfnx.exe" C:\Windows\SysWOW64\hohounka\
2⤵
PID:1356

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create hohounka binPath= "C:\Windows\SysWOW64\hohounka\bexfdfnx.exe /d\"C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4128

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description hohounka "wifi internet conection"
2⤵
- Launches sc.exe
PID:3012

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hohounka
2⤵
- Launches sc.exe
PID:3488

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1044
2⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\hohounka\bexfdfnx.exe
C:\Windows\SysWOW64\hohounka\bexfdfnx.exe /d"C:\Users\Admin\AppData\Local\Temp\04d88bfc300b49a0e992b3dbcd2354d8_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 520
2⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4992 -ip 4992
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1184 -ip 1184
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bexfdfnx.exe
Filesize
11.8MB

MD5
6eca92c054859309e54b625142f66766

SHA1
84ee9cb8fe1b0ce203959f00dba65ba98fb6cf07

SHA256
4766e20ad91f05f8429153767fe4a3923b785298021bc97cb71b506584d28010

SHA512
0f1e4bd5d62da64e4bea0a2b2efe08c7354e7597418a6e6142084d36dbc0ece1fdddd83d3ece1685a4f471abbd92a4145ddee9f5905439448981854e0c483a67

Download Submit
memory/892-11-0x0000000000640000-0x0000000000655000-memory.dmp

Filesize
84KB

Download
memory/892-14-0x0000000000640000-0x0000000000655000-memory.dmp

Filesize
84KB

Download
memory/892-17-0x0000000000640000-0x0000000000655000-memory.dmp

Filesize
84KB

Download
memory/1184-13-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1184-15-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/4992-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4992-1-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/4992-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4992-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4992-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4992-8-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads