tofsee | 773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59

General

Target

JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
Size

73KB
MD5

6f1d008c6d0499aa29a2e2942d362960
SHA1

853c07f3cd4823ce6c3e782ca5fa0c3fddeb28c8
SHA256

773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59
SHA512

dd6a01faf5f6a8e72041ea6b90c1dce38ec996627a77a8f8576431d9e3dbb6db235794e71518903f2e34416f64caf8670306ca2b2ab978b310f4e3211d13b344
SSDEEP

1536:gLxnAv2aSRpdNAZNBGa5TsFPChwbaJgX5DHu+/Ou9O39:6+v2TAAa5TEMw+Kzr9O39

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.242.250.149

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	jkcaaumz.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\jkcaaumz.exe\""	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2740	2676	jkcaaumz.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jkcaaumz.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
2676	jkcaaumz.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2676	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	31
PID 2224 wrote to memory of 2676	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	31
PID 2224 wrote to memory of 2676	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	31
PID 2224 wrote to memory of 2676	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	31
PID 2676 wrote to memory of 2740	2676	jkcaaumz.exe	32
PID 2676 wrote to memory of 2740	2676	jkcaaumz.exe	32
PID 2676 wrote to memory of 2740	2676	jkcaaumz.exe	32
PID 2676 wrote to memory of 2740	2676	jkcaaumz.exe	32
PID 2676 wrote to memory of 2740	2676	jkcaaumz.exe	32
PID 2676 wrote to memory of 2740	2676	jkcaaumz.exe	32
PID 2224 wrote to memory of 2860	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	33
PID 2224 wrote to memory of 2860	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	33
PID 2224 wrote to memory of 2860	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	33
PID 2224 wrote to memory of 2860	2224	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\jkcaaumz.exe
  "C:\Users\Admin\jkcaaumz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7362.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7362.bat

Filesize
266B

MD5
798258d07f74f761a5283bb3ec33b212

SHA1
c39119681e6c803ce8b5c807d5305660f8250def

SHA256
b20b4fa12b160966aca10628cebca3bef18e232fc4cefd4070321c12b5aa0b14

SHA512
c2e997777f38d88c7009bc249a0fc7a3413dedcbfea39b1ee66ba8e61e1b6b1c99c4acd773c2bc07e5b4aa189b835b88f59272ecd5adfaf156b278594390bbb7

Download Submit
\Users\Admin\jkcaaumz.exe

Filesize
73KB

MD5
6f1d008c6d0499aa29a2e2942d362960

SHA1
853c07f3cd4823ce6c3e782ca5fa0c3fddeb28c8

SHA256
773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59

SHA512
dd6a01faf5f6a8e72041ea6b90c1dce38ec996627a77a8f8576431d9e3dbb6db235794e71518903f2e34416f64caf8670306ca2b2ab978b310f4e3211d13b344

Download Submit
memory/2224-33-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2224-0-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2224-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2676-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2676-11-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2676-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-20-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2740-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-23-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2740-34-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2740-16-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2740-37-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2740-38-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads