tofsee | 2f1e0eb9ed8589890be9756528e46acfc275a2bb5b797c370c6b95a9f6e8eb61

General

Target

85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe
Size

12.7MB
MD5

85c28ed504a9641d91449cc374bfdf3f
SHA1

32bf88471d0c2f15bb525fd71eb75c9fc484a998
SHA256

2f1e0eb9ed8589890be9756528e46acfc275a2bb5b797c370c6b95a9f6e8eb61
SHA512

3c23870ce8685421a8f82a4eed8e9309aa649a364750ecdc0bb2607584b00de0e9cefff1db9f67a8d19f7e09c2e9d32b47d0d5c7cabe758a29c3f35d8dd968ec
SSDEEP

6144:evk9RADRUv1CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCn:HRAD

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\wmstoxjq = "0"	svchost.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3016 netsh.exe

pid	process
3016	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wmstoxjq\ImagePath = "C:\\Windows\\SysWOW64\\wmstoxjq\\nsffihxc.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2156 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

nsffihxc.exe

pid process

3008 nsffihxc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nsffihxc.exe

description pid process target process

PID 3008 set thread context of 2156 3008 nsffihxc.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2620 sc.exe
2808 sc.exe
2944 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2156	svchost.exe

pid	process
3008	nsffihxc.exe

description	pid	process	target process
PID 3008 set thread context of 2156	3008	nsffihxc.exe	svchost.exe

pid	process
2620	sc.exe
2808	sc.exe
2944	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesc.exesc.exensffihxc.exenetsh.exesvchost.exe85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.execmd.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsffihxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exensffihxc.exe

description	pid	process	target process
PID 2636 wrote to memory of 2608	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2608	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2608	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2608	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2336	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2336	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2336	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2336	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2620	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2620	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2620	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2620	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2808	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2808	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2808	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2808	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2944	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2944	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2944	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 2636 wrote to memory of 2944	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	sc.exe
PID 3008 wrote to memory of 2156	3008	nsffihxc.exe	svchost.exe
PID 3008 wrote to memory of 2156	3008	nsffihxc.exe	svchost.exe
PID 3008 wrote to memory of 2156	3008	nsffihxc.exe	svchost.exe
PID 3008 wrote to memory of 2156	3008	nsffihxc.exe	svchost.exe
PID 3008 wrote to memory of 2156	3008	nsffihxc.exe	svchost.exe
PID 3008 wrote to memory of 2156	3008	nsffihxc.exe	svchost.exe
PID 2636 wrote to memory of 3016	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	netsh.exe
PID 2636 wrote to memory of 3016	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	netsh.exe
PID 2636 wrote to memory of 3016	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	netsh.exe
PID 2636 wrote to memory of 3016	2636	85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wmstoxjq\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nsffihxc.exe" C:\Windows\SysWOW64\wmstoxjq\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create wmstoxjq binPath= "C:\Windows\SysWOW64\wmstoxjq\nsffihxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description wmstoxjq "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start wmstoxjq
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3016

C:\Windows\SysWOW64\wmstoxjq\nsffihxc.exe
C:\Windows\SysWOW64\wmstoxjq\nsffihxc.exe /d"C:\Users\Admin\AppData\Local\Temp\85c28ed504a9641d91449cc374bfdf3f_JaffaCakes118.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsffihxc.exe

Filesize
13.9MB

MD5
d2bfd6743d40506362821f3e0758d2f2

SHA1
fa7e59f80e6b5ccb6d819882dd21817384adfc7d

SHA256
81b702b3f35f56e87119ac084008c241cdd935220b18e25794953d97b78e2c2c

SHA512
dede2983d7149083c8523ad5c160f62f05f6fd996e81e2270364c25e0d2abab3db5993d5431245f568c1847f4bef1c61682cf167c24f0f8115e769dc9c2e03a1

Download Submit
memory/2156-10-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/2156-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2156-7-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/2156-14-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/2156-15-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/2636-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-2-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2636-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2636-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads