General

  • Target

    f0571d537fdfb84ba04c35bf28fc6efd_JaffaCakes118

  • Size

    13.5MB

  • Sample

    240415-fd541seh27

  • MD5

    f0571d537fdfb84ba04c35bf28fc6efd

  • SHA1

    dd7312afd7271ca7fcda619a8d727028ffb8ba68

  • SHA256

    b7a610c7f989b5fc0b92106990ecf5a79c87d70f18365e2ec5b096e5e3af6379

  • SHA512

    7f4f75c788014b865497f7cf64c13db8fcc8f4b2211b716baab4d2f0d0b251f7110b598694e984b6d1cf8572323f35ea6d61100f52fbb0a2cd6cd052c59d8dcc

  • SSDEEP

    24576:YjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBb:Ynh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f0571d537fdfb84ba04c35bf28fc6efd_JaffaCakes118

    • Size

      13.5MB

    • MD5

      f0571d537fdfb84ba04c35bf28fc6efd

    • SHA1

      dd7312afd7271ca7fcda619a8d727028ffb8ba68

    • SHA256

      b7a610c7f989b5fc0b92106990ecf5a79c87d70f18365e2ec5b096e5e3af6379

    • SHA512

      7f4f75c788014b865497f7cf64c13db8fcc8f4b2211b716baab4d2f0d0b251f7110b598694e984b6d1cf8572323f35ea6d61100f52fbb0a2cd6cd052c59d8dcc

    • SSDEEP

      24576:YjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBb:Ynh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks