General

  • Target

    f0ab6034b7ca2c038909b9ebc3a02fc9_JaffaCakes118

  • Size

    12.8MB

  • Sample

    240415-kgtydaad59

  • MD5

    f0ab6034b7ca2c038909b9ebc3a02fc9

  • SHA1

    cd80b319c817da3b6951eaeed2fb1b1e529dfa48

  • SHA256

    0a4b21c46f0a79ada9bf64ad967ab92ebc21e25a2074baf9f91f0f0d3cce137c

  • SHA512

    98b50f48e52d47efa466ed171de3f93c182d48f52e1c1e4ee95f706da831f803d7a0ae1a10e0457caf2995bb460f73d4aeb5e6c89d7362f514a649096c8ddca0

  • SSDEEP

    12288:IZnHC6Hf1kkNWoRjta3JZlPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPH:IdHCRiG

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f0ab6034b7ca2c038909b9ebc3a02fc9_JaffaCakes118

    • Size

      12.8MB

    • MD5

      f0ab6034b7ca2c038909b9ebc3a02fc9

    • SHA1

      cd80b319c817da3b6951eaeed2fb1b1e529dfa48

    • SHA256

      0a4b21c46f0a79ada9bf64ad967ab92ebc21e25a2074baf9f91f0f0d3cce137c

    • SHA512

      98b50f48e52d47efa466ed171de3f93c182d48f52e1c1e4ee95f706da831f803d7a0ae1a10e0457caf2995bb460f73d4aeb5e6c89d7362f514a649096c8ddca0

    • SSDEEP

      12288:IZnHC6Hf1kkNWoRjta3JZlPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPH:IdHCRiG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks