tofsee | dde9abb39c31d5f0addc50550cf29814ff3d4fb5b40b10a6cafcc739068db03c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
Size

170KB
MD5

e3f74ef5248c6d6014ce0c5d671015ff
SHA1

4da3d2f7c74309828f5d1eb4d4df4f3772164dfe
SHA256

dde9abb39c31d5f0addc50550cf29814ff3d4fb5b40b10a6cafcc739068db03c
SHA512

1c07bcb87fe4436152c72ad276e176aa73882b7c6b20e4bb43e12ce502cc8223bfb3567e9acc0f947c63452b135a338748ec55e3cd261fb185ef843b51a1faa1
SSDEEP

3072:tViOD5r8aEvaRCJM1hJiO5ZLk2j9rIU35J1CbG4K93GvoxEcowB1j:6G5bp7B1T1aQ6dwB9

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	vhicve.exe
2120	vhicve.exe

Loads dropped DLL 3 IoCs

pid	Process
2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
2312	vhicve.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\vhicve.exe\" /r"	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2312 set thread context of 2120	2312	vhicve.exe	33
PID 2120 set thread context of 3008	2120	vhicve.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhicve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhicve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2452	2344	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2312	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2312	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2312	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2312	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2312 wrote to memory of 2120	2312	vhicve.exe	33
PID 2120 wrote to memory of 3008	2120	vhicve.exe	34
PID 2120 wrote to memory of 3008	2120	vhicve.exe	34
PID 2120 wrote to memory of 3008	2120	vhicve.exe	34
PID 2120 wrote to memory of 3008	2120	vhicve.exe	34
PID 2120 wrote to memory of 3008	2120	vhicve.exe	34
PID 2120 wrote to memory of 3008	2120	vhicve.exe	34
PID 2452 wrote to memory of 2848	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	35
PID 2452 wrote to memory of 2848	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	35
PID 2452 wrote to memory of 2848	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	35
PID 2452 wrote to memory of 2848	2452	e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e3f74ef5248c6d6014ce0c5d671015ff_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\vhicve.exe
    "C:\Users\Admin\vhicve.exe" /r
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\vhicve.exe
      "C:\Users\Admin\vhicve.exe" /r
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\5247.bat" "
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5247.bat

Filesize
117B

MD5
4e3a6c9a26bc163d522fdba21d6a3c04

SHA1
bbf1430dc70a2207da66ced93c447ec9f161d88c

SHA256
c8657e530bb947c6603bab69e09bef044f7292cdb56a9d7ded426cd8b323a0d9

SHA512
319896a99a9f1385ba3f31e495ef626c7cfa349167cac77f9090c5dc3b560e26f7770c33a148284b96cf7f61f620546d20d326a5091a23a47149cea13fb72d50

Download Submit
C:\Users\Admin\vhicve.exe

Filesize
170KB

MD5
e3f74ef5248c6d6014ce0c5d671015ff

SHA1
4da3d2f7c74309828f5d1eb4d4df4f3772164dfe

SHA256
dde9abb39c31d5f0addc50550cf29814ff3d4fb5b40b10a6cafcc739068db03c

SHA512
1c07bcb87fe4436152c72ad276e176aa73882b7c6b20e4bb43e12ce502cc8223bfb3567e9acc0f947c63452b135a338748ec55e3cd261fb185ef843b51a1faa1

Download Submit
memory/2120-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3008-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-60-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/3008-43-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/3008-56-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/3008-64-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/3008-65-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads