tofsee | 733c27d4e791383b17b24af48e088fcb6efe8af55ac0e5ece50f75403bacb0aa

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/02/2025, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
Size

110KB
MD5

d4a0fe13c826a3d72cb8cf4b3321bab5
SHA1

57ee096c9480cfecaf4b0a7d522b72e770ee2487
SHA256

733c27d4e791383b17b24af48e088fcb6efe8af55ac0e5ece50f75403bacb0aa
SHA512

d6ab331f9b91b6309560f9e8d0a70aa289147d0ef687781254b2c11e13edff89e1825b6226ed66ecccf678bc47ac01356f9ddcdf0c4c34fb8c4ad4f353a2ff8e
SSDEEP

1536:Dw2sGCx1bXkStPTyNROxLHt86pMTkmC37W3AY8OWN0q:DwDt7y0Ln+Tbg3Nh

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

31.210.119.2

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2100	qoyj.exe
2648	qoyj.exe

Loads dropped DLL 3 IoCs

pid	Process
2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
2100	qoyj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\qoyj.exe\" /r"	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2100 set thread context of 2648	2100	qoyj.exe	32
PID 2648 set thread context of 2544	2648	qoyj.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoyj.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2496 wrote to memory of 2744	2496	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	30
PID 2744 wrote to memory of 2100	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	31
PID 2744 wrote to memory of 2100	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	31
PID 2744 wrote to memory of 2100	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	31
PID 2744 wrote to memory of 2100	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	31
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2100 wrote to memory of 2648	2100	qoyj.exe	32
PID 2744 wrote to memory of 2552	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	34
PID 2744 wrote to memory of 2552	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	34
PID 2744 wrote to memory of 2552	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	34
PID 2744 wrote to memory of 2552	2744	JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe	34
PID 2648 wrote to memory of 2544	2648	qoyj.exe	33
PID 2648 wrote to memory of 2544	2648	qoyj.exe	33
PID 2648 wrote to memory of 2544	2648	qoyj.exe	33
PID 2648 wrote to memory of 2544	2648	qoyj.exe	33
PID 2648 wrote to memory of 2544	2648	qoyj.exe	33
PID 2648 wrote to memory of 2544	2648	qoyj.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d4a0fe13c826a3d72cb8cf4b3321bab5.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\qoyj.exe
    "C:\Users\Admin\qoyj.exe" /r
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\qoyj.exe
      "C:\Users\Admin\qoyj.exe" /r
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1588.bat" "
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1588.bat

Filesize
117B

MD5
4d1c5ad42a31c19bed261756c470f665

SHA1
6463d7d201e0d1c719e6d7f3902beba4206fb466

SHA256
d08a9b7f68c18b1259c15e44ec318fae0fcf9026b70231fddafc06517c023510

SHA512
ff77605a9c4e3443274b130dc70544ed96512a220355f0022aea75923f094ea29b2af32fe8050ac71b242e728e8f83687b431d8999866e43bb8e9a2407a46004

Download Submit
\Users\Admin\qoyj.exe

Filesize
110KB

MD5
d4a0fe13c826a3d72cb8cf4b3321bab5

SHA1
57ee096c9480cfecaf4b0a7d522b72e770ee2487

SHA256
733c27d4e791383b17b24af48e088fcb6efe8af55ac0e5ece50f75403bacb0aa

SHA512
d6ab331f9b91b6309560f9e8d0a70aa289147d0ef687781254b2c11e13edff89e1825b6226ed66ecccf678bc47ac01356f9ddcdf0c4c34fb8c4ad4f353a2ff8e

Download Submit
memory/2544-64-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2544-63-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2544-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-49-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2544-57-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2544-61-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2648-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads