General
-
Target
f2210787bb2598f8739155f21507eb79_JaffaCakes118
-
Size
11.4MB
-
Sample
240415-21vgpacf6y
-
MD5
f2210787bb2598f8739155f21507eb79
-
SHA1
a3113938de29f92261e0591cbf8a570c284ec863
-
SHA256
d654d69144fc6ec2500c227daf77a0ed09424082093ad47571e4cf83739068dd
-
SHA512
94302dadf31c5011ed5f728d88343f0ac5695a6cb257e4673ce982b516b292b81e0466f2aae207cb7f155594a0c7a0887ee7de00d4bdcf1a004c230b3be4470f
-
SSDEEP
12288:hIIW7A7qL8SHSIiwN/iZBqAsArTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT7:OA7qLNNf
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
f2210787bb2598f8739155f21507eb79_JaffaCakes118
-
Size
11.4MB
-
MD5
f2210787bb2598f8739155f21507eb79
-
SHA1
a3113938de29f92261e0591cbf8a570c284ec863
-
SHA256
d654d69144fc6ec2500c227daf77a0ed09424082093ad47571e4cf83739068dd
-
SHA512
94302dadf31c5011ed5f728d88343f0ac5695a6cb257e4673ce982b516b292b81e0466f2aae207cb7f155594a0c7a0887ee7de00d4bdcf1a004c230b3be4470f
-
SSDEEP
12288:hIIW7A7qL8SHSIiwN/iZBqAsArTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT7:OA7qLNNf
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2