tofsee | 3fe12c4360a1c325426c748c3dc88bd4ada95b53883e8a71ed8cfe49a9548734

General

Target

29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
Size

106KB
MD5

29ca45114babce59d37bf2c45836a794
SHA1

973b1efebfd167d304fef2f59c8ec4ffe22a7c78
SHA256

3fe12c4360a1c325426c748c3dc88bd4ada95b53883e8a71ed8cfe49a9548734
SHA512

4c29556977c79ace3c0c12f9672cf446a01fbfcc3b1cb1a1b6e65a11ceb0ad6673e85ba8fb96ac913891171f0edfba04cfa157570c8f7b7edc784c3c75fd967c
SSDEEP

1536:IwGVxjjSw7LhpTkVCmJw5RH7Q3PW7UW3+EzhEpGEtJotRugCm7ZnyJSB:deVpmCmJw5qWwW3XleGQqt8Bm7ZW8

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2908 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

xmban.exexmban.exe

pid process

2708 xmban.exe
2748 xmban.exe
Loads dropped DLL 3 IoCs

Processes:

29ca45114babce59d37bf2c45836a794_JaffaCakes118.exexmban.exe

pid process

2416 29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
2416 29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
2708 xmban.exe

pid	process
2908	cmd.exe

pid	process
2708	xmban.exe
2748	xmban.exe

pid	process
2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
2708	xmban.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\xmban.exe\" /r"	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

29ca45114babce59d37bf2c45836a794_JaffaCakes118.exexmban.exexmban.exe

description	pid	process	target process
PID 2688 set thread context of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2708 set thread context of 2748	2708	xmban.exe	xmban.exe
PID 2748 set thread context of 1768	2748	xmban.exe	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe

pid process

2688 29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe

pid	process
2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe29ca45114babce59d37bf2c45836a794_JaffaCakes118.exexmban.exexmban.exe

description	pid	process	target process
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2688 wrote to memory of 2416	2688	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
PID 2416 wrote to memory of 2708	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	xmban.exe
PID 2416 wrote to memory of 2708	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	xmban.exe
PID 2416 wrote to memory of 2708	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	xmban.exe
PID 2416 wrote to memory of 2708	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	xmban.exe
PID 2416 wrote to memory of 2908	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2908	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2908	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2908	2416	29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe	cmd.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2708 wrote to memory of 2748	2708	xmban.exe	xmban.exe
PID 2748 wrote to memory of 1768	2748	xmban.exe	svchost.exe
PID 2748 wrote to memory of 1768	2748	xmban.exe	svchost.exe
PID 2748 wrote to memory of 1768	2748	xmban.exe	svchost.exe
PID 2748 wrote to memory of 1768	2748	xmban.exe	svchost.exe
PID 2748 wrote to memory of 1768	2748	xmban.exe	svchost.exe
PID 2748 wrote to memory of 1768	2748	xmban.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29ca45114babce59d37bf2c45836a794_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\xmban.exe
"C:\Users\Admin\xmban.exe" /r
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\xmban.exe
"C:\Users\Admin\xmban.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4777.bat" "
3⤵
- Deletes itself
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4777.bat
Filesize
117B

MD5
21d3883048bbda63131264b721ff870a

SHA1
6f3f247eb21f6315c0c88eac255b2c3294b2abcc

SHA256
e7f854bf1bf04ee792e4d695f2476e086274e7ca3770c5caeb0a4782adfaf776

SHA512
f89544c8af5c64a3f3404d5d6f0e65e38c8129ab792f06d19fd57430697c621ccd91b01cea7a72418983d76de9c994d81fec6098cceafac4bf4e0aa07f550ed2

Download Submit
\Users\Admin\xmban.exe
Filesize
106KB

MD5
29ca45114babce59d37bf2c45836a794

SHA1
973b1efebfd167d304fef2f59c8ec4ffe22a7c78

SHA256
3fe12c4360a1c325426c748c3dc88bd4ada95b53883e8a71ed8cfe49a9548734

SHA512
4c29556977c79ace3c0c12f9672cf446a01fbfcc3b1cb1a1b6e65a11ceb0ad6673e85ba8fb96ac913891171f0edfba04cfa157570c8f7b7edc784c3c75fd967c

Download Submit
memory/1768-65-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1768-64-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1768-63-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1768-59-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1768-58-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1768-54-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1768-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-49-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads