tofsee | 7e7ca783c5533c85910c1ec4341d64ea045889c959ac9d516d58816ef8f42da6

General

Target

02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe
Size

12.0MB
MD5

02e5c341d567695ae3743ddda4916025
SHA1

49acfe7ceba9e5407cf355f7fde0a657b680cdf6
SHA256

7e7ca783c5533c85910c1ec4341d64ea045889c959ac9d516d58816ef8f42da6
SHA512

5d8f9508f57dbf2981a1626908ca0fb21a2ffc37f5f8fe9ee514d472238081c9a58e2ee2111b3682498da1aafec5b6269c7311512c6d5d03266375dde414ae6a
SSDEEP

6144:IuZQ8YhtrDfG08esd3CE9ccB3+molfLyKJ:1Z6DfG080E93u59LzJ

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nmqtptka = "0"	svchost.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2816 netsh.exe

pid	process
2816	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nmqtptka\ImagePath = "C:\\Windows\\SysWOW64\\nmqtptka\\ubnajwxr.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2216 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

ubnajwxr.exe

pid process

1508 ubnajwxr.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ubnajwxr.exe

description pid process target process

PID 1508 set thread context of 2216 1508 ubnajwxr.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2980 sc.exe
2712 sc.exe
1900 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2216	svchost.exe

pid	process
1508	ubnajwxr.exe

description	pid	process	target process
PID 1508 set thread context of 2216	1508	ubnajwxr.exe	svchost.exe

pid	process
2980	sc.exe
2712	sc.exe
1900	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

02e5c341d567695ae3743ddda4916025_JaffaCakes118.exesc.exesvchost.exesc.exenetsh.exeubnajwxr.execmd.execmd.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubnajwxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

02e5c341d567695ae3743ddda4916025_JaffaCakes118.exeubnajwxr.exe

description	pid	process	target process
PID 2380 wrote to memory of 2172	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 2172	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 2172	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 2172	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 3056	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 3056	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 3056	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 3056	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 1900	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 1900	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 1900	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 1900	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2980	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2980	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2980	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2980	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2712	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2712	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2712	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2712	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	sc.exe
PID 2380 wrote to memory of 2816	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	netsh.exe
PID 2380 wrote to memory of 2816	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	netsh.exe
PID 2380 wrote to memory of 2816	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	netsh.exe
PID 2380 wrote to memory of 2816	2380	02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe	netsh.exe
PID 1508 wrote to memory of 2216	1508	ubnajwxr.exe	svchost.exe
PID 1508 wrote to memory of 2216	1508	ubnajwxr.exe	svchost.exe
PID 1508 wrote to memory of 2216	1508	ubnajwxr.exe	svchost.exe
PID 1508 wrote to memory of 2216	1508	ubnajwxr.exe	svchost.exe
PID 1508 wrote to memory of 2216	1508	ubnajwxr.exe	svchost.exe
PID 1508 wrote to memory of 2216	1508	ubnajwxr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nmqtptka\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ubnajwxr.exe" C:\Windows\SysWOW64\nmqtptka\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nmqtptka binPath= "C:\Windows\SysWOW64\nmqtptka\ubnajwxr.exe /d\"C:\Users\Admin\AppData\Local\Temp\02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1900
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nmqtptka "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nmqtptka
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2816

C:\Windows\SysWOW64\nmqtptka\ubnajwxr.exe
C:\Windows\SysWOW64\nmqtptka\ubnajwxr.exe /d"C:\Users\Admin\AppData\Local\Temp\02e5c341d567695ae3743ddda4916025_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ubnajwxr.exe

Filesize
11.3MB

MD5
eda6ad8687db23a3f5554a987f2d1de7

SHA1
6eb2a235b8823a7b510913ad06a2bf6e4519552a

SHA256
6f7a54826e9f86511dcd5b39c45c7643f2c67f03128919e4b80efb4a5abafc55

SHA512
ed5d10a0a017fda6b4f3051fc876f4dcc23b586ea5967af67779de6b9f14f74335e749d1194a219888c0929ddc3ba7ae2dea2af3e2a350448576ff07637424ba

Download Submit
memory/1508-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2216-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2216-16-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2216-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2216-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2380-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2380-10-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2380-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2380-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2380-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2380-1-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads