General

  • Target

    f0630695ae53cf7a1a16dfd0cfec02d3_JaffaCakes118

  • Size

    11.6MB

  • Sample

    240415-ft3c3ahh71

  • MD5

    f0630695ae53cf7a1a16dfd0cfec02d3

  • SHA1

    b1eea5dbf984b5df67c67500301072cc5ce52e9a

  • SHA256

    0730de25197a87bc97fc5115709fad563813c3625c3db4a8877e2d62d7086e6d

  • SHA512

    5436c76f576fc3d052e3a98959c53d1e01db68cd7b5e221f6d80f9a1936d1a042a5bd107bee05495cc2cc9d6ede2a4a4cd7548319e6279a7fc5fe05dba793ebf

  • SSDEEP

    49152:hj5555555555555555555555555555555555555555555555555555555555555h:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      f0630695ae53cf7a1a16dfd0cfec02d3_JaffaCakes118

    • Size

      11.6MB

    • MD5

      f0630695ae53cf7a1a16dfd0cfec02d3

    • SHA1

      b1eea5dbf984b5df67c67500301072cc5ce52e9a

    • SHA256

      0730de25197a87bc97fc5115709fad563813c3625c3db4a8877e2d62d7086e6d

    • SHA512

      5436c76f576fc3d052e3a98959c53d1e01db68cd7b5e221f6d80f9a1936d1a042a5bd107bee05495cc2cc9d6ede2a4a4cd7548319e6279a7fc5fe05dba793ebf

    • SSDEEP

      49152:hj5555555555555555555555555555555555555555555555555555555555555h:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks