tofsee | 207acfca1de1938e54d115382a281816e4c0144001010f677234f34c56f67d0e

General

Target

297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
Size

99KB
MD5

297562b2a02789dd03deb8207e9c637f
SHA1

3e8df0c99673b561cb8422111587a628af006dd3
SHA256

207acfca1de1938e54d115382a281816e4c0144001010f677234f34c56f67d0e
SHA512

183c7a25187aa18e6348657e76d5a76f89ed359a61e86a0fc0fa1deb2b27874b35c35db61fa32aca642eeee367d4a8f180175607b4f552502e9fdcef5e9a194e
SSDEEP

1536:sVYd3yhx2UZ22bwA6CP1kqHbDP5XPg4EpweDXIMEQd03rdPxsu4a:sVCH46Ekq7j5XPg490If355Ma

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

aduy.exeaduy.exe

pid process

2260 aduy.exe
3212 aduy.exe

pid	process
2260	aduy.exe
3212	aduy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\aduy.exe\" /r"	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exeaduy.exeaduy.exe

description	pid	process	target process
PID 2336 set thread context of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2260 set thread context of 3212	2260	aduy.exe	aduy.exe
PID 3212 set thread context of 2420	3212	aduy.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3468 2420 WerFault.exe svchost.exe

pid	pid_target	process	target process
3468	2420	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exeaduy.exeaduy.exe

description	pid	process	target process
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2336 wrote to memory of 2320	2336	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
PID 2320 wrote to memory of 2260	2320	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	aduy.exe
PID 2320 wrote to memory of 2260	2320	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	aduy.exe
PID 2320 wrote to memory of 2260	2320	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 2260 wrote to memory of 3212	2260	aduy.exe	aduy.exe
PID 3212 wrote to memory of 2420	3212	aduy.exe	svchost.exe
PID 3212 wrote to memory of 2420	3212	aduy.exe	svchost.exe
PID 3212 wrote to memory of 2420	3212	aduy.exe	svchost.exe
PID 3212 wrote to memory of 2420	3212	aduy.exe	svchost.exe
PID 3212 wrote to memory of 2420	3212	aduy.exe	svchost.exe
PID 2320 wrote to memory of 4780	2320	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	cmd.exe
PID 2320 wrote to memory of 4780	2320	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	cmd.exe
PID 2320 wrote to memory of 4780	2320	297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\297562b2a02789dd03deb8207e9c637f_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\aduy.exe
"C:\Users\Admin\aduy.exe" /r
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\aduy.exe
"C:\Users\Admin\aduy.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 320
6⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6815.bat" "
3⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2420 -ip 2420
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6815.bat

Filesize
117B

MD5
9a403efb1cd6a0a4e735121126280e20

SHA1
89267f37a9f81e602b5d483b007a5ba0ef0d48c5

SHA256
1002136b1a92b7f6732c5355f7d884e1d46ab373844134286787ce37874c3d15

SHA512
87caf552aceb7562fc36dce1d85e33bb183a1a7b850c6f675519955160326329f07af60dae901953daf852ebb35692076f35af1cc2fbbc82e1cbb12d8cd562e9

Download Submit
C:\Users\Admin\aduy.exe

Filesize
99KB

MD5
297562b2a02789dd03deb8207e9c637f

SHA1
3e8df0c99673b561cb8422111587a628af006dd3

SHA256
207acfca1de1938e54d115382a281816e4c0144001010f677234f34c56f67d0e

SHA512
183c7a25187aa18e6348657e76d5a76f89ed359a61e86a0fc0fa1deb2b27874b35c35db61fa32aca642eeee367d4a8f180175607b4f552502e9fdcef5e9a194e

Download Submit
memory/2320-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2420-21-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2420-14-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2420-29-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2420-30-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2420-31-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2420-32-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/3212-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads