tofsee | 6e89a44a73818b439f124147d2024fec5d2f8a00054e45795d5a7d7fca97d026

General

Target

65437df61660e464407c0934040d1870_JaffaCakes118.exe
Size

144KB
MD5

65437df61660e464407c0934040d1870
SHA1

41f351a6802c4219fa7ee85973c27c393647ef73
SHA256

6e89a44a73818b439f124147d2024fec5d2f8a00054e45795d5a7d7fca97d026
SHA512

f3a539f886be53323d68f2894edb0e39b9cf0417def99bb5b8e48ff5a8555302723662ce7a386f038331b02add0dccd2552832d819cc949318cb7fa8d9a1870b
SSDEEP

3072:uaVP6HaGT5SR8fGzIpYDx1cTqO9lkS2jbxWGq8Wr:uaGoEpWxSbGq8k

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65437df61660e464407c0934040d1870_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	65437df61660e464407c0934040d1870_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

cdvttnfs.exe

pid process

4024 cdvttnfs.exe

pid	process
4024	cdvttnfs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

65437df61660e464407c0934040d1870_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\cdvttnfs.exe\""	65437df61660e464407c0934040d1870_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cdvttnfs.exe

description pid process target process

PID 4024 set thread context of 2452 4024 cdvttnfs.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3256 2452 WerFault.exe svchost.exe

description	pid	process	target process
PID 4024 set thread context of 2452	4024	cdvttnfs.exe	svchost.exe

pid	pid_target	process	target process
3256	2452	WerFault.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

65437df61660e464407c0934040d1870_JaffaCakes118.execdvttnfs.execmd.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65437df61660e464407c0934040d1870_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdvttnfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

65437df61660e464407c0934040d1870_JaffaCakes118.execdvttnfs.exe

description	pid	process	target process
PID 1784 wrote to memory of 4024	1784	65437df61660e464407c0934040d1870_JaffaCakes118.exe	cdvttnfs.exe
PID 1784 wrote to memory of 4024	1784	65437df61660e464407c0934040d1870_JaffaCakes118.exe	cdvttnfs.exe
PID 1784 wrote to memory of 4024	1784	65437df61660e464407c0934040d1870_JaffaCakes118.exe	cdvttnfs.exe
PID 4024 wrote to memory of 2452	4024	cdvttnfs.exe	svchost.exe
PID 4024 wrote to memory of 2452	4024	cdvttnfs.exe	svchost.exe
PID 4024 wrote to memory of 2452	4024	cdvttnfs.exe	svchost.exe
PID 4024 wrote to memory of 2452	4024	cdvttnfs.exe	svchost.exe
PID 4024 wrote to memory of 2452	4024	cdvttnfs.exe	svchost.exe
PID 1784 wrote to memory of 2736	1784	65437df61660e464407c0934040d1870_JaffaCakes118.exe	cmd.exe
PID 1784 wrote to memory of 2736	1784	65437df61660e464407c0934040d1870_JaffaCakes118.exe	cmd.exe
PID 1784 wrote to memory of 2736	1784	65437df61660e464407c0934040d1870_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\65437df61660e464407c0934040d1870_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65437df61660e464407c0934040d1870_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\cdvttnfs.exe
  "C:\Users\Admin\cdvttnfs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 356
      4⤵
      Program crash
      PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1378.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2452 -ip 2452
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1378.bat

Filesize
266B

MD5
840a9bac596baececfb690932d11c01c

SHA1
2a7fd03c1f5107cbac73138486f049f5b5cf1830

SHA256
55783e95e655e6b2ba92eaef8dd9472cfcbda29c40e1d90956ecc5ba95135114

SHA512
0d91028813eb6714d9f2bbcb8778fd6710ad3abe83c9ad11d078aaf26f56b35ad7fd4ea9a330a276d18cba2b26dd812ee81455a357e40cdde9f4f111727bc9d2

Download Submit
C:\Users\Admin\cdvttnfs.exe

Filesize
32.7MB

MD5
ca8d6c976dee3d4f5c97652df4621a5c

SHA1
929bc3eb5800e854e5032d0d1db01135e1b273dc

SHA256
59593f1bbdf6bae9e4a2727babf65501511318418573c9b430f53e36f39fc02a

SHA512
30555ecf2dff7b5a09cde89830ca801252b5a631ff4f81eb52dd0dd26b2bc3a04e4a106647966160a333ba36c4629c1db44cb207534fc253c36a841f567fcd27

Download Submit
memory/1784-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1784-0-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1784-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1784-23-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/2452-26-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2452-9-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2452-15-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2452-28-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2452-12-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2452-27-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/4024-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4024-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4024-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads