tofsee | d6b2eae2b185d2df5a6b9fa584922bf492b3b4ef55068c18fe440c371f3afae1

General

Target

234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe
Size

153KB
MD5

234ec5fd68cd2fc80c2927c4e5b16862
SHA1

863affe6694278557d5d1797b949ebdfff5dd375
SHA256

d6b2eae2b185d2df5a6b9fa584922bf492b3b4ef55068c18fe440c371f3afae1
SHA512

b9fe4156e59ceefbfdf9d09088257fff43cf2caab197efe5687fc12a5c8efbbcc57619ef12d377e47207d0762e5bd5196d2e210d190e98e6c4ae2d5f0fae1d25
SSDEEP

3072:DXkL9Q/41qA6hg8QIWcQ10SjOq1OXp3TCRthTc7RzeAyddL7le3MRWD:TkL9XqLhhF1GOqU53W16zezHMM

Score

10^/10

tofsee discovery persistence trojan upx

Malware Config

Extracted

Family

tofsee

C2

208.131.138.216

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	yliszsgl.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe
2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\yliszsgl.exe\""	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 1152	2348	yliszsgl.exe	33

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-0-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2560-1-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/files/0x0009000000012118-12.dat	upx
behavioral1/memory/2348-17-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2348-28-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2348-29-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yliszsgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2348	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2348	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2348	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2348	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2912	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2912	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2912	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2912	2560	234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe	31
PID 2348 wrote to memory of 1152	2348	yliszsgl.exe	33
PID 2348 wrote to memory of 1152	2348	yliszsgl.exe	33
PID 2348 wrote to memory of 1152	2348	yliszsgl.exe	33
PID 2348 wrote to memory of 1152	2348	yliszsgl.exe	33
PID 2348 wrote to memory of 1152	2348	yliszsgl.exe	33
PID 2348 wrote to memory of 1152	2348	yliszsgl.exe	33

C:\Users\Admin\AppData\Local\Temp\234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\234ec5fd68cd2fc80c2927c4e5b16862_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\yliszsgl.exe
  "C:\Users\Admin\yliszsgl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7848.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7848.bat

Filesize
266B

MD5
9d68fa4899f6ba7b9f64d5fff7a5681b

SHA1
d4151364089a56dd9b2a8cccb2be597ad0abc286

SHA256
2783b9d6b105689449e27143125a117fcbb2a09bf899bc1f54ca543906bd32f4

SHA512
13af2d582884c8793e1d78619e5daab1cd1afe3fe564e46db0e4c68e3432703c2ccd4fe69784e1ba6756b14d1320311a823d0efdf38a0482aa02a9247e33dc27

Download Submit
C:\Users\Admin\yliszsgl.exe

Filesize
153KB

MD5
234ec5fd68cd2fc80c2927c4e5b16862

SHA1
863affe6694278557d5d1797b949ebdfff5dd375

SHA256
d6b2eae2b185d2df5a6b9fa584922bf492b3b4ef55068c18fe440c371f3afae1

SHA512
b9fe4156e59ceefbfdf9d09088257fff43cf2caab197efe5687fc12a5c8efbbcc57619ef12d377e47207d0762e5bd5196d2e210d190e98e6c4ae2d5f0fae1d25

Download Submit
memory/1152-46-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1152-45-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1152-31-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1152-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1152-34-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1152-43-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1152-42-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/2348-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2348-30-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2348-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2348-28-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2348-29-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-16-0x0000000004090000-0x00000000040DF000-memory.dmp

Filesize
316KB

Download
memory/2560-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-26-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-3-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/2560-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2560-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads