General

  • Target

    f04f786239875252b9f051c7a26a32e5_JaffaCakes118

  • Size

    14.6MB

  • Sample

    240415-e4mjxsha8z

  • MD5

    f04f786239875252b9f051c7a26a32e5

  • SHA1

    6aadc2d82f7c210ee366ced36c8abd01a1533500

  • SHA256

    99259985cf1a4857ec1f009ccab8a757018feb2298b058cffb92862f1f603f2e

  • SHA512

    221e9ca818d4ed3e2278b5f425f3d122179e9ff6a1c0432905cb61fe85c78d45d6bc7d518c4572e27ecbb3a4be317097f327dbb382d9fca1ac3112277e93703f

  • SSDEEP

    49152:4NS3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3SH:4

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      f04f786239875252b9f051c7a26a32e5_JaffaCakes118

    • Size

      14.6MB

    • MD5

      f04f786239875252b9f051c7a26a32e5

    • SHA1

      6aadc2d82f7c210ee366ced36c8abd01a1533500

    • SHA256

      99259985cf1a4857ec1f009ccab8a757018feb2298b058cffb92862f1f603f2e

    • SHA512

      221e9ca818d4ed3e2278b5f425f3d122179e9ff6a1c0432905cb61fe85c78d45d6bc7d518c4572e27ecbb3a4be317097f327dbb382d9fca1ac3112277e93703f

    • SSDEEP

      49152:4NS3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3SH:4

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks