tofsee | e41c46054bd2c722b8d649b57021da9320cf6d2e19e04186d946af560059a1ad

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe
Size

11.1MB
MD5

b541829aa66c437b2a62789d3aca5e86
SHA1

80f5a87ae6246fdc2794d481d550db3d363e52a7
SHA256

e41c46054bd2c722b8d649b57021da9320cf6d2e19e04186d946af560059a1ad
SHA512

7f49782bbe131565325698a0584324c3e5f282d5182a817b2dabbb87c038639e2809bf58e54795fa6d746fb5247fcb5bd7639f2a3f92841b030447e75caa1279
SSDEEP

12288:izZd0++++++++++++++++++++++++++++++++++++++++++++++++++++++++++G:izZ

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\pfbwqagj = "0"	svchost.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2568	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pfbwqagj\ImagePath = "C:\\Windows\\SysWOW64\\pfbwqagj\\nzymxhpj.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2892	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	nzymxhpj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2892	2512	nzymxhpj.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2748	sc.exe
2864	sc.exe
2284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nzymxhpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3064	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	30
PID 2380 wrote to memory of 3064	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	30
PID 2380 wrote to memory of 3064	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	30
PID 2380 wrote to memory of 3064	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	30
PID 2380 wrote to memory of 2480	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	32
PID 2380 wrote to memory of 2480	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	32
PID 2380 wrote to memory of 2480	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	32
PID 2380 wrote to memory of 2480	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	32
PID 2380 wrote to memory of 2284	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	34
PID 2380 wrote to memory of 2284	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	34
PID 2380 wrote to memory of 2284	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	34
PID 2380 wrote to memory of 2284	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	34
PID 2380 wrote to memory of 2748	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	36
PID 2380 wrote to memory of 2748	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	36
PID 2380 wrote to memory of 2748	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	36
PID 2380 wrote to memory of 2748	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	36
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	38
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	38
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	38
PID 2380 wrote to memory of 2864	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	38
PID 2512 wrote to memory of 2892	2512	nzymxhpj.exe	41
PID 2512 wrote to memory of 2892	2512	nzymxhpj.exe	41
PID 2512 wrote to memory of 2892	2512	nzymxhpj.exe	41
PID 2512 wrote to memory of 2892	2512	nzymxhpj.exe	41
PID 2512 wrote to memory of 2892	2512	nzymxhpj.exe	41
PID 2512 wrote to memory of 2892	2512	nzymxhpj.exe	41
PID 2380 wrote to memory of 2568	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	42
PID 2380 wrote to memory of 2568	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	42
PID 2380 wrote to memory of 2568	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	42
PID 2380 wrote to memory of 2568	2380	JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pfbwqagj\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nzymxhpj.exe" C:\Windows\SysWOW64\pfbwqagj\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create pfbwqagj binPath= "C:\Windows\SysWOW64\pfbwqagj\nzymxhpj.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description pfbwqagj "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start pfbwqagj
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2568

C:\Windows\SysWOW64\pfbwqagj\nzymxhpj.exe
C:\Windows\SysWOW64\pfbwqagj\nzymxhpj.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b541829aa66c437b2a62789d3aca5e86.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nzymxhpj.exe

Filesize
12.3MB

MD5
57f7a0eaeef1bab60f34999159d12a6e

SHA1
ccdddce33eaf663ad2b8c606153dba810c0e508a

SHA256
e6df003b92a276ba4a9c98f0f95bf1f1febb5f1a7b513bcced9904b43188defa

SHA512
e3c6caf492d1591aa7c21f3f16e3e3b39b23a2701150449a9f9a4a86cea2666ebb9c6fbdd07f14f78d8d95f737348934df2b3a87cf69828a937970b7f8e8b7b9

Download Submit
memory/2380-15-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2380-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2380-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2380-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2380-1-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/2380-14-0x0000000000400000-0x0000000002DAC000-memory.dmp

Filesize
41.7MB

Download
memory/2512-12-0x0000000000400000-0x0000000002DAC000-memory.dmp

Filesize
41.7MB

Download
memory/2892-8-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2892-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2892-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-17-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2892-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads