tofsee | 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790f

General

Target

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
Size

144KB
MD5

79e36707abf82183a03e9d8dda3b3430
SHA1

d986b8ba3ed36333f127b34842fc991713c4f5ac
SHA256

086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790f
SHA512

26f0b48f09193014bd9fc5f1ede8df23979e4791ae47e6d4395656fa62d22a32435f43aba15e3f32facb4fdc24f2ed97305bebf1eb53bc5033bae82710e88b4d
SSDEEP

3072:uaVP6HaGT5SR8fGzIpYDx1cTqO9lkS2jbxWGqSV3:uaGoEpWxSbGqSV3

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

pqiggasf.exe

pid process

2460 pqiggasf.exe

pid	process
2460	pqiggasf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\pqiggasf.exe\""	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pqiggasf.exe

description pid process target process

PID 2460 set thread context of 1804 2460 pqiggasf.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

396 1804 WerFault.exe svchost.exe

description	pid	process	target process
PID 2460 set thread context of 1804	2460	pqiggasf.exe	svchost.exe

pid	pid_target	process	target process
396	1804	WerFault.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pqiggasf.execmd.exesvchost.exe79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqiggasf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exepqiggasf.exe

description	pid	process	target process
PID 764 wrote to memory of 2460	764	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	pqiggasf.exe
PID 764 wrote to memory of 2460	764	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	pqiggasf.exe
PID 764 wrote to memory of 2460	764	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	pqiggasf.exe
PID 2460 wrote to memory of 1804	2460	pqiggasf.exe	svchost.exe
PID 2460 wrote to memory of 1804	2460	pqiggasf.exe	svchost.exe
PID 2460 wrote to memory of 1804	2460	pqiggasf.exe	svchost.exe
PID 2460 wrote to memory of 1804	2460	pqiggasf.exe	svchost.exe
PID 2460 wrote to memory of 1804	2460	pqiggasf.exe	svchost.exe
PID 764 wrote to memory of 60	764	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe
PID 764 wrote to memory of 60	764	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe
PID 764 wrote to memory of 60	764	79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79e36707abf82183a03e9d8dda3b3430_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\pqiggasf.exe
  "C:\Users\Admin\pqiggasf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 356
      4⤵
      Program crash
      PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0426.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1804 -ip 1804
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0426.bat

Filesize
266B

MD5
7d40b7fed97e870199748c47f2bd0746

SHA1
ad8bbd529cfc739c130c518103dedd922bb29fb6

SHA256
1f9fb5c88a94be036093bbd3bb2065bfb9400d8907700525c68b849658fd8777

SHA512
88e4d08241f2ef2f7fa6279794347224934f6439c7eacff2fb753ca7504acf9a30e1c6eca662bd80b0054aee1420b41bf56b648277b4911be923b5faef95643b

Download Submit
C:\Users\Admin\pqiggasf.exe

Filesize
41.4MB

MD5
9dfa5a8b6dbdd701a861feff5a3eee49

SHA1
8dafd5c1ba24e2f81b256958336096da1b29655f

SHA256
c92836a2eb5fa89da7dc601b386df8ece24e6f6ea2dfb45dd0232d2575b924b6

SHA512
e3e9f3634557cb4c01fce6acb38a216beca5c07b65a5f116c1082c4c64ef102f06f84d9e98bc5ac55c2a31fdeff620c93a7af366fa5131df51113d66be3a7fc6

Download Submit
memory/764-0-0x00000000021A0000-0x00000000021B2000-memory.dmp

Filesize
72KB

Download
memory/764-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/764-23-0x00000000021A0000-0x00000000021B2000-memory.dmp

Filesize
72KB

Download
memory/764-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1804-17-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/1804-13-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/1804-9-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/1804-26-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/1804-27-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/1804-28-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/2460-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2460-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2460-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads