General

  • Target

    f0a14238fcda385ebeaac1426ab34113_JaffaCakes118

  • Size

    12.0MB

  • Sample

    240415-jzlt2sce3s

  • MD5

    f0a14238fcda385ebeaac1426ab34113

  • SHA1

    f1e59480797e227a2c4b744161299aaa9856c923

  • SHA256

    cf3e9c7793e428a1763c69b39ed3339ceb6617d503d5d950b43c9d17a42cce87

  • SHA512

    9b0a2ad7428ad989ac141440a5ed4fb8918c8548fda61a03d2a2bb03990653e45b72da99f4393c3f9a81f4e3be829c68cdae5ded33f63b4fea414ef02e30e11a

  • SSDEEP

    49152:djrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrT:N

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      f0a14238fcda385ebeaac1426ab34113_JaffaCakes118

    • Size

      12.0MB

    • MD5

      f0a14238fcda385ebeaac1426ab34113

    • SHA1

      f1e59480797e227a2c4b744161299aaa9856c923

    • SHA256

      cf3e9c7793e428a1763c69b39ed3339ceb6617d503d5d950b43c9d17a42cce87

    • SHA512

      9b0a2ad7428ad989ac141440a5ed4fb8918c8548fda61a03d2a2bb03990653e45b72da99f4393c3f9a81f4e3be829c68cdae5ded33f63b4fea414ef02e30e11a

    • SSDEEP

      49152:djrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrT:N

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks