tofsee | 4a98211c5559002c943be44e52f37e9362b06f3e384625735e2170ef215c7edc

General

Target

214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
Size

106KB
MD5

214ba52c1fe0615bdf8b110de5a54800
SHA1

8d14c8471ad2ddea020c6283118c8031ce7f7194
SHA256

4a98211c5559002c943be44e52f37e9362b06f3e384625735e2170ef215c7edc
SHA512

d7f95da24b99e6e347cd64c508460f8b747cc110d3fef4667d59bd8894a97f72a4dab5b11b9f48649185f0248170b38b77ab5ae3d21da2d9665cbd347d763599
SSDEEP

1536:pDfF/yYugpJ+BsxKlb0Tz7OOFGHWy4TmQsdLB8Hdez8VmF2jbxWGq6:pDf1y0pJTxKZUOOcICBU+QS2jbxWGq

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.211

188.130.237.71

185.25.48.10

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2580 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

fsxkpcvd.exe

pid process

692 fsxkpcvd.exe
Loads dropped DLL 2 IoCs

Processes:

214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe

pid process

1292 214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
1292 214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe

pid	process
2580	cmd.exe

pid	process
692	fsxkpcvd.exe

pid	process
1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\fsxkpcvd.exe\""	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fsxkpcvd.exe

description pid process target process

PID 692 set thread context of 1104 692 fsxkpcvd.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 692 set thread context of 1104	692	fsxkpcvd.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exefsxkpcvd.exesvchost.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsxkpcvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exefsxkpcvd.exe

pid process

1292 214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
692 fsxkpcvd.exe

pid	process
1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
692	fsxkpcvd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exefsxkpcvd.exe

description	pid	process	target process
PID 1292 wrote to memory of 692	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	fsxkpcvd.exe
PID 1292 wrote to memory of 692	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	fsxkpcvd.exe
PID 1292 wrote to memory of 692	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	fsxkpcvd.exe
PID 1292 wrote to memory of 692	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	fsxkpcvd.exe
PID 692 wrote to memory of 1104	692	fsxkpcvd.exe	svchost.exe
PID 692 wrote to memory of 1104	692	fsxkpcvd.exe	svchost.exe
PID 692 wrote to memory of 1104	692	fsxkpcvd.exe	svchost.exe
PID 692 wrote to memory of 1104	692	fsxkpcvd.exe	svchost.exe
PID 692 wrote to memory of 1104	692	fsxkpcvd.exe	svchost.exe
PID 692 wrote to memory of 1104	692	fsxkpcvd.exe	svchost.exe
PID 1292 wrote to memory of 2580	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	cmd.exe
PID 1292 wrote to memory of 2580	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	cmd.exe
PID 1292 wrote to memory of 2580	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	cmd.exe
PID 1292 wrote to memory of 2580	1292	214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\214ba52c1fe0615bdf8b110de5a54800_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\fsxkpcvd.exe
"C:\Users\Admin\fsxkpcvd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- System Location Discovery: System Language Discovery
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1148.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1148.bat

Filesize
266B

MD5
631dba645b394f476070d8122c086310

SHA1
21e58377c08cd2426b2f60207f9db84ef4b90aa9

SHA256
775f1519414f738178a0c108ff7e944b4ee8192bd274ff7dc6ea415cce47aa0c

SHA512
7e3d4f59ff2e1b05ec0fb57661a2b3d30279e94dc5aa77e99915f7391224e85fccc3ddbd9e169d01c9422dbdb5eb81ba9fd82a85cba1070cb0ae5def994028c7

Download Submit
\Users\Admin\fsxkpcvd.exe

Filesize
35.5MB

MD5
126a5c2864743433b721999d57de2fa6

SHA1
b301bd6c8822bdc2dddde524d861668962a87417

SHA256
1586c6456b7e36489d405739204e50ca13660994a1feaa5aefe22f7cca0d4237

SHA512
5bbf7168caefd6bffc27a9be686e2083ce334b4aaea583c8a06b10c889e1c88837f420b6aeab5b266aa2950ab13541c27fa1ed20829550daa9cf5500065894ca

Download Submit
memory/692-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/692-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/692-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/692-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1104-41-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1104-30-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1104-26-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1104-25-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1104-43-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1104-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1104-16-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1292-6-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/1292-39-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1292-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1292-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1292-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1292-1-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads