tofsee | c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771

General

Target

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
Size

140KB
MD5

5ba0845ff3f7f12479a59e063d201db3
SHA1

bb9e1b5656e76f43cb55da49981b6b66c3f59ec5
SHA256

c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771
SHA512

11a19687c3afd02ed2904dacbbbbb6d9d4336435aed049eb6bef0b1827e719c508d70a4926f5aff233b9e802edfcc66790808c8f045ea1e04c599f7f66a3ef1c
SSDEEP

1536:vjjjPWXk20UMf9sliQ6HgEGHuLjzUgvKGlDbALtTaOE/iwXdBLpVQ5mZWTSf9ef:vXS8f9sEQfETLjJKGlQdnE/iETLamnq

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

uvj.exeuvj.exe

pid process

3948 uvj.exe
3548 uvj.exe

pid	process
3948	uvj.exe
3548	uvj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uvj.exe\" /r"	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuvj.exeuvj.exe

description	pid	process	target process
PID 908 set thread context of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 3948 set thread context of 3548	3948	uvj.exe	uvj.exe
PID 3548 set thread context of 4256	3548	uvj.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1496 4256 WerFault.exe svchost.exe

pid	pid_target	process	target process
1496	4256	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuvj.exeuvj.exe

description	pid	process	target process
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 908 wrote to memory of 2332	908	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
PID 2332 wrote to memory of 3948	2332	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uvj.exe
PID 2332 wrote to memory of 3948	2332	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uvj.exe
PID 2332 wrote to memory of 3948	2332	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3948 wrote to memory of 3548	3948	uvj.exe	uvj.exe
PID 3548 wrote to memory of 4256	3548	uvj.exe	svchost.exe
PID 3548 wrote to memory of 4256	3548	uvj.exe	svchost.exe
PID 3548 wrote to memory of 4256	3548	uvj.exe	svchost.exe
PID 3548 wrote to memory of 4256	3548	uvj.exe	svchost.exe
PID 3548 wrote to memory of 4256	3548	uvj.exe	svchost.exe
PID 2332 wrote to memory of 1376	2332	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe
PID 2332 wrote to memory of 1376	2332	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe
PID 2332 wrote to memory of 1376	2332	5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\uvj.exe
"C:\Users\Admin\uvj.exe" /r
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\uvj.exe
"C:\Users\Admin\uvj.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 320
6⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8367.bat" "
3⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4256 -ip 4256
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8367.bat
Filesize
117B

MD5
dd1272afbec3d38bfa7f9cb03eb760bf

SHA1
26ed50b0bc97e96c8bd76450b4ecdf57b2db90c0

SHA256
52f28894dbff59d03392152dde6e63ebc15f87f421189175ab95aa3167eb316d

SHA512
0076cdaf830d102a0129cac4e4fff563ed0d29f73ea9ce65f4545bc615ea546263ea9342058344520596356485a59d4993b37127b4208863222130d5d714b139

Download Submit
C:\Users\Admin\uvj.exe
Filesize
140KB

MD5
5ba0845ff3f7f12479a59e063d201db3

SHA1
bb9e1b5656e76f43cb55da49981b6b66c3f59ec5

SHA256
c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771

SHA512
11a19687c3afd02ed2904dacbbbbb6d9d4336435aed049eb6bef0b1827e719c508d70a4926f5aff233b9e802edfcc66790808c8f045ea1e04c599f7f66a3ef1c

Download Submit
memory/2332-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2332-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2332-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3548-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4256-14-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/4256-19-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/4256-28-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/4256-29-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4256-30-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/4256-31-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads