tofsee | 2f5e67e49830e1dd0ca7de24e7cc02541246a74d7adeab3e5eae0c85c9f17860

General

Target

eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe
Size

109KB
MD5

eb8a612690e24c3f087515f9a46a9fb0
SHA1

21d872dda244b67de9edc4942f7295d69616fa78
SHA256

2f5e67e49830e1dd0ca7de24e7cc02541246a74d7adeab3e5eae0c85c9f17860
SHA512

08d50e17ed8685d27a17161f57a7b6a77df31fd7d63fa09cdeb32a8e581da9df15302477e954024d3a0f67af4ab864bed18d891b65ccdc298233a7f183b27253
SSDEEP

1536:kok+6RyYuguJ+BsxKlb0Tz7OO2GHWy4TmQsd1B8HdezI0mF2jbxWGq6:kojey0uJTxKZUOOhICXU+hS2jbxWGq

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.211

188.130.237.71

185.25.48.10

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2120	skvniuur.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe
1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\skvniuur.exe\""	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 2516	2120	skvniuur.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skvniuur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2672	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2672	PING.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe
2120	skvniuur.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2120	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2120	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2120	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2120	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2516	2120	skvniuur.exe	30
PID 2120 wrote to memory of 2516	2120	skvniuur.exe	30
PID 2120 wrote to memory of 2516	2120	skvniuur.exe	30
PID 2120 wrote to memory of 2516	2120	skvniuur.exe	30
PID 2120 wrote to memory of 2516	2120	skvniuur.exe	30
PID 2120 wrote to memory of 2516	2120	skvniuur.exe	30
PID 1660 wrote to memory of 2536	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2536	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2536	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2536	1660	eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2672	2536	cmd.exe	33
PID 2536 wrote to memory of 2672	2536	cmd.exe	33
PID 2536 wrote to memory of 2672	2536	cmd.exe	33
PID 2536 wrote to memory of 2672	2536	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\skvniuur.exe
  "C:\Users\Admin\skvniuur.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\4020.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4020.bat

Filesize
266B

MD5
dc173fbae0f61c5cb507ebfcd243901b

SHA1
a9d94ffe80331bbc6c77effa7c2b271837a0cc82

SHA256
d4b334aa4b9cd3c93a6b0495bdff690e997344460640d312ba131a326e7d8420

SHA512
5efd4e245b19a02b9c71e4affff97f5922b1fc43bc05f76cb33102c480c2211d5a3f015c4f3bbf2caa8e34fc9efd087cf9f782cac4a9fe307fe4b843fb60f84f

Download Submit
\Users\Admin\skvniuur.exe

Filesize
37.7MB

MD5
3d42187e7661ccf9135a5195ca7b7563

SHA1
8d93b0eae60d1b5107681b6443f32b6db926cc23

SHA256
b6d0fbadb202c0a42131aa759b72edd896e0848b3f1d32f0ba608948d11ece02

SHA512
5cfc9e4e8a2cfac224ba592a954290e8ca089ca4e560aa2a6accb6d9e90c84b0a8a62b7114181b16a2dc39945512df2e23901b532c1a6c198a186cbf11fff2b3

Download Submit
memory/1660-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1660-0-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1660-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1660-25-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2120-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2120-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2120-11-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2516-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-39-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2516-35-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2516-32-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2516-31-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2516-13-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2516-16-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2516-40-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads