tofsee | 35e7dacaff1f83266879f8c1b8b87094b9afe181b397b3927561c74844e38d18

General

Target

633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe
Size

144KB
MD5

633a5b3f5abc1123356f2c859bcb8e50
SHA1

da720c363b880dbc5623e9584b62523fb4fba909
SHA256

35e7dacaff1f83266879f8c1b8b87094b9afe181b397b3927561c74844e38d18
SHA512

9fb9e0aa1b2d263e7eec9b065c1af0e5a72ec68f9c4cfa27a3bd46d259f1416f5c60a82cf01e80cdddeddb1463569fb5981fb36d000c8e0ffdfd20af1f353c8e
SSDEEP

3072:uaVP6HaGT5SR8fGzIpYDx1cTqO9lkS2jbxWGqXJ:uaGoEpWxSbGqZ

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1116	uvnllfxk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uvnllfxk.exe\""	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 2008	1116	uvnllfxk.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3272	2008	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvnllfxk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1116	404	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe	86
PID 404 wrote to memory of 1116	404	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe	86
PID 404 wrote to memory of 1116	404	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe	86
PID 1116 wrote to memory of 2008	1116	uvnllfxk.exe	88
PID 1116 wrote to memory of 2008	1116	uvnllfxk.exe	88
PID 1116 wrote to memory of 2008	1116	uvnllfxk.exe	88
PID 1116 wrote to memory of 2008	1116	uvnllfxk.exe	88
PID 1116 wrote to memory of 2008	1116	uvnllfxk.exe	88
PID 404 wrote to memory of 532	404	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe	92
PID 404 wrote to memory of 532	404	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe	92
PID 404 wrote to memory of 532	404	633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\633a5b3f5abc1123356f2c859bcb8e50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\uvnllfxk.exe
  "C:\Users\Admin\uvnllfxk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 356
      4⤵
      Program crash
      PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5640.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 2008
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5640.bat

Filesize
266B

MD5
d0ab623051d738d5666a14820de62f34

SHA1
6b3d8b7955e7b45d82c2da848b6ab80e095b4dc2

SHA256
e79d4a1cfeadda0793ab8804adec4fc35203cae4ed17e9d5ff8d2589b3fa4a87

SHA512
7fa606acfd39a4c3251f36cd2351898c05eb2e96a721be07517244845b241b7633eee5279b36626d842731e5f6a3a6bb48456306ec8a8122dc611ef7f3905bea

Download Submit
C:\Users\Admin\uvnllfxk.exe

Filesize
47.6MB

MD5
8ff5ea035f3fc6cf5a6462e6df391e07

SHA1
93dd15188e864fa6a211fa964d0b24060d062cf4

SHA256
b4466c8b9727d465fd5e253f60bca74128b7ba949533fa1bf6d74df04765e1e7

SHA512
c91f678d3875bfdb15f75cf9516cfde3068e9f6d34fb250e4a86cc671559e8ed99551984a1f6cb4bdb74337f3feed75cb4ea6a90974168e7d040a5c7b48e488a

Download Submit
memory/404-23-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/404-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/404-0-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/404-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1116-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1116-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1116-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2008-17-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2008-14-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2008-9-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2008-26-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2008-27-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2008-28-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads