tofsee | c24e9f212bf4aa4d09be65a48991d3d88a7f8c7964167b669655bae9fcf683aa

General

Target

2974e70f02767b10963e422142859413_JaffaCakes118.exe
Size

136KB
MD5

2974e70f02767b10963e422142859413
SHA1

10982b4f655d166b8145b14f57adae7b265a1559
SHA256

c24e9f212bf4aa4d09be65a48991d3d88a7f8c7964167b669655bae9fcf683aa
SHA512

f41fb5551cfa66f2efbc29ce7be0cfffba83309f37078346bdf01db0314f072626054a2eb34d4602b596b4cb74e6f068f65825a3a9a6872b115644c8c766d90a
SSDEEP

3072:kIMXId8aU3RrYoD5XulxqnDv9405BL6zl:xMPayR0oD5muDvi02Z

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2840 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

digm.exedigm.exe

pid process

2304 digm.exe
592 digm.exe
Loads dropped DLL 3 IoCs

Processes:

2974e70f02767b10963e422142859413_JaffaCakes118.exedigm.exe

pid process

304 2974e70f02767b10963e422142859413_JaffaCakes118.exe
304 2974e70f02767b10963e422142859413_JaffaCakes118.exe
2304 digm.exe

pid	process
2840	cmd.exe

pid	process
2304	digm.exe
592	digm.exe

pid	process
304	2974e70f02767b10963e422142859413_JaffaCakes118.exe
304	2974e70f02767b10963e422142859413_JaffaCakes118.exe
2304	digm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2974e70f02767b10963e422142859413_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\digm.exe\" /r"	2974e70f02767b10963e422142859413_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2974e70f02767b10963e422142859413_JaffaCakes118.exedigm.exedigm.exe

description	pid	process	target process
PID 2152 set thread context of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2304 set thread context of 592	2304	digm.exe	digm.exe
PID 592 set thread context of 2928	592	digm.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

2974e70f02767b10963e422142859413_JaffaCakes118.exe2974e70f02767b10963e422142859413_JaffaCakes118.exedigm.exedigm.exe

description	pid	process	target process
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 2152 wrote to memory of 304	2152	2974e70f02767b10963e422142859413_JaffaCakes118.exe	2974e70f02767b10963e422142859413_JaffaCakes118.exe
PID 304 wrote to memory of 2304	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	digm.exe
PID 304 wrote to memory of 2304	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	digm.exe
PID 304 wrote to memory of 2304	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	digm.exe
PID 304 wrote to memory of 2304	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 2304 wrote to memory of 592	2304	digm.exe	digm.exe
PID 592 wrote to memory of 2928	592	digm.exe	svchost.exe
PID 592 wrote to memory of 2928	592	digm.exe	svchost.exe
PID 592 wrote to memory of 2928	592	digm.exe	svchost.exe
PID 592 wrote to memory of 2928	592	digm.exe	svchost.exe
PID 592 wrote to memory of 2928	592	digm.exe	svchost.exe
PID 592 wrote to memory of 2928	592	digm.exe	svchost.exe
PID 304 wrote to memory of 2840	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	cmd.exe
PID 304 wrote to memory of 2840	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	cmd.exe
PID 304 wrote to memory of 2840	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	cmd.exe
PID 304 wrote to memory of 2840	304	2974e70f02767b10963e422142859413_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2974e70f02767b10963e422142859413_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2974e70f02767b10963e422142859413_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\2974e70f02767b10963e422142859413_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2974e70f02767b10963e422142859413_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\digm.exe
"C:\Users\Admin\digm.exe" /r
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\digm.exe
"C:\Users\Admin\digm.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0676.bat" "
3⤵
- Deletes itself
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0676.bat
Filesize
117B

MD5
0feb7f78ef7529d8b90cdcebaa44f7c1

SHA1
f0b10ab3ccd7a6065cb3a6592b18cf45fc3c0873

SHA256
420fc5b5a75282216ced2c4e4d1e974c31ef3c483ca93ed559684f3d6909a2bd

SHA512
61b5f294d8669039f6175d5be9df13b974692b8743083e19515b3eab97ee8ddb60dd3fdca3951f45c58f02e799d1ed8a580832dedf33ffa96097f4faf26f325d

Download Submit
\Users\Admin\digm.exe
Filesize
136KB

MD5
2974e70f02767b10963e422142859413

SHA1
10982b4f655d166b8145b14f57adae7b265a1559

SHA256
c24e9f212bf4aa4d09be65a48991d3d88a7f8c7964167b669655bae9fcf683aa

SHA512
f41fb5551cfa66f2efbc29ce7be0cfffba83309f37078346bdf01db0314f072626054a2eb34d4602b596b4cb74e6f068f65825a3a9a6872b115644c8c766d90a

Download Submit
memory/304-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/304-26-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/304-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/592-51-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2152-13-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2152-14-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2152-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2304-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2304-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2928-54-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2928-48-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2928-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-58-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2928-59-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2928-60-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2928-71-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads