General

  • Target

    00c6a8dfe9fb9f84684f058f7e535919_JaffaCakes118

  • Size

    13.9MB

  • Sample

    240328-jnayeafg3v

  • MD5

    00c6a8dfe9fb9f84684f058f7e535919

  • SHA1

    5e6775a696cd8e74a0431196c613d66fc6077e3e

  • SHA256

    99135847b7fd12e3bcbe83f5fc6a7082beeeb27f9d73d40795967f36da334584

  • SHA512

    99b07cf87b2f3f5081df78137c33d637e08483a6a29bab4b2becd8b15e15d2c3e165deed1c3012f8f1b71bb3c39d036ee488980f42010b4a6a972128ea9d4825

  • SSDEEP

    196608:KhKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaS:K

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      00c6a8dfe9fb9f84684f058f7e535919_JaffaCakes118

    • Size

      13.9MB

    • MD5

      00c6a8dfe9fb9f84684f058f7e535919

    • SHA1

      5e6775a696cd8e74a0431196c613d66fc6077e3e

    • SHA256

      99135847b7fd12e3bcbe83f5fc6a7082beeeb27f9d73d40795967f36da334584

    • SHA512

      99b07cf87b2f3f5081df78137c33d637e08483a6a29bab4b2becd8b15e15d2c3e165deed1c3012f8f1b71bb3c39d036ee488980f42010b4a6a972128ea9d4825

    • SSDEEP

      196608:KhKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaS:K

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks