tofsee | 773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59

General

Target

JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
Size

73KB
MD5

6f1d008c6d0499aa29a2e2942d362960
SHA1

853c07f3cd4823ce6c3e782ca5fa0c3fddeb28c8
SHA256

773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59
SHA512

dd6a01faf5f6a8e72041ea6b90c1dce38ec996627a77a8f8576431d9e3dbb6db235794e71518903f2e34416f64caf8670306ca2b2ab978b310f4e3211d13b344
SSDEEP

1536:gLxnAv2aSRpdNAZNBGa5TsFPChwbaJgX5DHu+/Ou9O39:6+v2TAAa5TEMw+Kzr9O39

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.242.250.149

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe

Executes dropped EXE 1 IoCs

pid	Process
4152	hiayyskx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\hiayyskx.exe\""	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 2840	4152	hiayyskx.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1880	2840	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiayyskx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4152	4300	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	82
PID 4300 wrote to memory of 4152	4300	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	82
PID 4300 wrote to memory of 4152	4300	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	82
PID 4152 wrote to memory of 2840	4152	hiayyskx.exe	83
PID 4152 wrote to memory of 2840	4152	hiayyskx.exe	83
PID 4152 wrote to memory of 2840	4152	hiayyskx.exe	83
PID 4152 wrote to memory of 2840	4152	hiayyskx.exe	83
PID 4152 wrote to memory of 2840	4152	hiayyskx.exe	83
PID 4300 wrote to memory of 4728	4300	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	87
PID 4300 wrote to memory of 4728	4300	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	87
PID 4300 wrote to memory of 4728	4300	JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\hiayyskx.exe
  "C:\Users\Admin\hiayyskx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 356
      4⤵
      Program crash
      PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8515.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2840 -ip 2840
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8515.bat

Filesize
266B

MD5
798258d07f74f761a5283bb3ec33b212

SHA1
c39119681e6c803ce8b5c807d5305660f8250def

SHA256
b20b4fa12b160966aca10628cebca3bef18e232fc4cefd4070321c12b5aa0b14

SHA512
c2e997777f38d88c7009bc249a0fc7a3413dedcbfea39b1ee66ba8e61e1b6b1c99c4acd773c2bc07e5b4aa189b835b88f59272ecd5adfaf156b278594390bbb7

Download Submit
C:\Users\Admin\hiayyskx.exe

Filesize
73KB

MD5
6f1d008c6d0499aa29a2e2942d362960

SHA1
853c07f3cd4823ce6c3e782ca5fa0c3fddeb28c8

SHA256
773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59

SHA512
dd6a01faf5f6a8e72041ea6b90c1dce38ec996627a77a8f8576431d9e3dbb6db235794e71518903f2e34416f64caf8670306ca2b2ab978b310f4e3211d13b344

Download Submit
memory/2840-17-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2840-28-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2840-27-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2840-26-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2840-9-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2840-14-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/4152-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4152-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4152-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4300-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4300-22-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4300-0-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4300-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads