tofsee | 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790f

General

Target

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
Size

144KB
MD5

79e36707abf82183a03e9d8dda3b3430
SHA1

d986b8ba3ed36333f127b34842fc991713c4f5ac
SHA256

086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790f
SHA512

26f0b48f09193014bd9fc5f1ede8df23979e4791ae47e6d4395656fa62d22a32435f43aba15e3f32facb4fdc24f2ed97305bebf1eb53bc5033bae82710e88b4d
SSDEEP

3072:uaVP6HaGT5SR8fGzIpYDx1cTqO9lkS2jbxWGqSV3:uaGoEpWxSbGqSV3

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2632 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

ijbzztly.exe

pid process

2880 ijbzztly.exe
Loads dropped DLL 2 IoCs

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

pid process

2824 79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
2824 79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

pid	process
2632	cmd.exe

pid	process
2880	ijbzztly.exe

pid	process
2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ijbzztly.exe\""	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ijbzztly.exe

description pid process target process

PID 2880 set thread context of 2612 2880 ijbzztly.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2880 set thread context of 2612	2880	ijbzztly.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesvchost.exe79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exeijbzztly.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijbzztly.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exeijbzztly.exe

pid process

2824 79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
2880 ijbzztly.exe

pid	process
2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
2880	ijbzztly.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exeijbzztly.exe

description	pid	process	target process
PID 2824 wrote to memory of 2880	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	ijbzztly.exe
PID 2824 wrote to memory of 2880	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	ijbzztly.exe
PID 2824 wrote to memory of 2880	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	ijbzztly.exe
PID 2824 wrote to memory of 2880	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	ijbzztly.exe
PID 2880 wrote to memory of 2612	2880	ijbzztly.exe	svchost.exe
PID 2880 wrote to memory of 2612	2880	ijbzztly.exe	svchost.exe
PID 2880 wrote to memory of 2612	2880	ijbzztly.exe	svchost.exe
PID 2880 wrote to memory of 2612	2880	ijbzztly.exe	svchost.exe
PID 2880 wrote to memory of 2612	2880	ijbzztly.exe	svchost.exe
PID 2880 wrote to memory of 2612	2880	ijbzztly.exe	svchost.exe
PID 2824 wrote to memory of 2632	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe
PID 2824 wrote to memory of 2632	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe
PID 2824 wrote to memory of 2632	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe
PID 2824 wrote to memory of 2632	2824	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\ijbzztly.exe
  "C:\Users\Admin\ijbzztly.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5076.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5076.bat

Filesize
266B

MD5
7d40b7fed97e870199748c47f2bd0746

SHA1
ad8bbd529cfc739c130c518103dedd922bb29fb6

SHA256
1f9fb5c88a94be036093bbd3bb2065bfb9400d8907700525c68b849658fd8777

SHA512
88e4d08241f2ef2f7fa6279794347224934f6439c7eacff2fb753ca7504acf9a30e1c6eca662bd80b0054aee1420b41bf56b648277b4911be923b5faef95643b

Download Submit
\Users\Admin\ijbzztly.exe

Filesize
49.1MB

MD5
792897d0799f8225506ab72a0da0f7fb

SHA1
32f9f0b063534f6492b97f9dcc626c78e03ebf9a

SHA256
c0bbf1ee4100d6e7f58781b65b95352f6d68aa228529267e4c33e73a31b40524

SHA512
69919cbcc96b88bd9665bcda17e5377387105596a55d197fd9820111a17b3ae395c828cfcc0e4d9da2e5c361d84348947ddd71c5fc2848bc8c1fc6c8cdd425cd

Download Submit
memory/2612-20-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2612-40-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2612-36-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2612-23-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2612-39-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2612-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-30-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2612-33-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2824-0-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2824-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2824-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2824-28-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2880-11-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2880-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2880-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads