tofsee | c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771

General

Target

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
Size

140KB
MD5

5ba0845ff3f7f12479a59e063d201db3
SHA1

bb9e1b5656e76f43cb55da49981b6b66c3f59ec5
SHA256

c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771
SHA512

11a19687c3afd02ed2904dacbbbbb6d9d4336435aed049eb6bef0b1827e719c508d70a4926f5aff233b9e802edfcc66790808c8f045ea1e04c599f7f66a3ef1c
SSDEEP

1536:vjjjPWXk20UMf9sliQ6HgEGHuLjzUgvKGlDbALtTaOE/iwXdBLpVQ5mZWTSf9ef:vXS8f9sEQfETLjJKGlQdnE/iETLamnq

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2164 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

uoc.exeuoc.exe

pid process

2984 uoc.exe
2968 uoc.exe
Loads dropped DLL 3 IoCs

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuoc.exe

pid process

2660 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
2660 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
2984 uoc.exe

pid	process
2164	cmd.exe

pid	process
2984	uoc.exe
2968	uoc.exe

pid	process
2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
2984	uoc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uoc.exe\" /r"	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuoc.exeuoc.exe

description	pid	process	target process
PID 2644 set thread context of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2984 set thread context of 2968	2984	uoc.exe	uoc.exe
PID 2968 set thread context of 2688	2968	uoc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuoc.exeuoc.exe

description	pid	process	target process
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2644 wrote to memory of 2660	2644	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2660 wrote to memory of 2984	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uoc.exe
PID 2660 wrote to memory of 2984	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uoc.exe
PID 2660 wrote to memory of 2984	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uoc.exe
PID 2660 wrote to memory of 2984	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2984 wrote to memory of 2968	2984	uoc.exe	uoc.exe
PID 2968 wrote to memory of 2688	2968	uoc.exe	svchost.exe
PID 2968 wrote to memory of 2688	2968	uoc.exe	svchost.exe
PID 2968 wrote to memory of 2688	2968	uoc.exe	svchost.exe
PID 2968 wrote to memory of 2688	2968	uoc.exe	svchost.exe
PID 2968 wrote to memory of 2688	2968	uoc.exe	svchost.exe
PID 2968 wrote to memory of 2688	2968	uoc.exe	svchost.exe
PID 2660 wrote to memory of 2164	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe
PID 2660 wrote to memory of 2164	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe
PID 2660 wrote to memory of 2164	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe
PID 2660 wrote to memory of 2164	2660	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\uoc.exe
"C:\Users\Admin\uoc.exe" /r
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\uoc.exe
"C:\Users\Admin\uoc.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3263.bat" "
3⤵
- Deletes itself
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3263.bat
Filesize
117B

MD5
dd1272afbec3d38bfa7f9cb03eb760bf

SHA1
26ed50b0bc97e96c8bd76450b4ecdf57b2db90c0

SHA256
52f28894dbff59d03392152dde6e63ebc15f87f421189175ab95aa3167eb316d

SHA512
0076cdaf830d102a0129cac4e4fff563ed0d29f73ea9ce65f4545bc615ea546263ea9342058344520596356485a59d4993b37127b4208863222130d5d714b139

Download Submit
\Users\Admin\uoc.exe
Filesize
140KB

MD5
5ba0845ff3f7f12479a59e063d201db3

SHA1
bb9e1b5656e76f43cb55da49981b6b66c3f59ec5

SHA256
c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771

SHA512
11a19687c3afd02ed2904dacbbbbb6d9d4336435aed049eb6bef0b1827e719c508d70a4926f5aff233b9e802edfcc66790808c8f045ea1e04c599f7f66a3ef1c

Download Submit
memory/2660-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2688-52-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2688-43-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2688-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-46-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2688-62-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2688-64-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2968-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads