General

  • Target

    f084491e020b788417e19a2621643727_JaffaCakes118

  • Size

    12.8MB

  • Sample

    240415-hlq16sbe5t

  • MD5

    f084491e020b788417e19a2621643727

  • SHA1

    c16a3f6bdd47a54adce01da13c161502c82159d8

  • SHA256

    6f744161d4a426c7d4666faa58489bc5f45596a194c9212f08a3bec8bcc9dc70

  • SHA512

    15fd79bcaff49d9f14ce6866c2cd97d3612b08f304fb4142f029c5800e6782e14532300385548268905e4381187cd8b62b602460d72439c892dd693396f86c82

  • SSDEEP

    24576:QjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee2:Q/D

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f084491e020b788417e19a2621643727_JaffaCakes118

    • Size

      12.8MB

    • MD5

      f084491e020b788417e19a2621643727

    • SHA1

      c16a3f6bdd47a54adce01da13c161502c82159d8

    • SHA256

      6f744161d4a426c7d4666faa58489bc5f45596a194c9212f08a3bec8bcc9dc70

    • SHA512

      15fd79bcaff49d9f14ce6866c2cd97d3612b08f304fb4142f029c5800e6782e14532300385548268905e4381187cd8b62b602460d72439c892dd693396f86c82

    • SSDEEP

      24576:QjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee2:Q/D

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks