tofsee | 35e7dacaff1f83266879f8c1b8b87094b9afe181b397b3927561c74844e38d18

General

Target

JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe
Size

144KB
MD5

633a5b3f5abc1123356f2c859bcb8e50
SHA1

da720c363b880dbc5623e9584b62523fb4fba909
SHA256

35e7dacaff1f83266879f8c1b8b87094b9afe181b397b3927561c74844e38d18
SHA512

9fb9e0aa1b2d263e7eec9b065c1af0e5a72ec68f9c4cfa27a3bd46d259f1416f5c60a82cf01e80cdddeddb1463569fb5981fb36d000c8e0ffdfd20af1f353c8e
SSDEEP

3072:uaVP6HaGT5SR8fGzIpYDx1cTqO9lkS2jbxWGqXJ:uaGoEpWxSbGqZ

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	yzrppjbo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\yzrppjbo.exe\""	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 1280	2828	yzrppjbo.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	1280	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzrppjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2828	2140	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe	83
PID 2140 wrote to memory of 2828	2140	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe	83
PID 2140 wrote to memory of 2828	2140	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe	83
PID 2828 wrote to memory of 1280	2828	yzrppjbo.exe	84
PID 2828 wrote to memory of 1280	2828	yzrppjbo.exe	84
PID 2828 wrote to memory of 1280	2828	yzrppjbo.exe	84
PID 2828 wrote to memory of 1280	2828	yzrppjbo.exe	84
PID 2828 wrote to memory of 1280	2828	yzrppjbo.exe	84
PID 2140 wrote to memory of 1600	2140	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe	86
PID 2140 wrote to memory of 1600	2140	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe	86
PID 2140 wrote to memory of 1600	2140	JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633a5b3f5abc1123356f2c859bcb8e50.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\yzrppjbo.exe
  "C:\Users\Admin\yzrppjbo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 356
      4⤵
      Program crash
      PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7053.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1280 -ip 1280
1⤵
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7053.bat

Filesize
266B

MD5
658a7261d5f5a3086abfeb116c73b6ee

SHA1
747a782634d64aea1819f59c90419b3c0df4c298

SHA256
85f8a28db4ca2f97df0601afadec84f4c84b3dc2c1a6ba45c326aa109658de5b

SHA512
979cfc269d12a4a663adf1f5d9d54206f42e10feff148c7656952f30f6954835ed7ff13a639e88858cc42904cef9cbb51d4deedc9dd622c234672e31fa3d6896

Download Submit
C:\Users\Admin\yzrppjbo.exe

Filesize
36.7MB

MD5
7fffe56dda7c87d2cf2b8e10dd4ae1e6

SHA1
03b1450424f54196a346de3b690ffb1cd6bdb568

SHA256
c358f209185f55d46badd255331d2c2ae0c63bf7cc35c384b08aeaa6425160c8

SHA512
bd0ffa311d5c82a98cba78115adfec4142480565d4bda5130620f88b8566e35c7508d9f5fe4079083f78c3c31b97e0ed3c9ccc67a4ad78b075882f48ac33a24f

Download Submit
memory/1280-7-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1280-28-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1280-15-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1280-27-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1280-26-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1280-10-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2140-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2140-0-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/2140-23-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/2140-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2828-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2828-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2828-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads