General

  • Target

    f0ad0a3397a5620fa45fc38eeb867532_JaffaCakes118

  • Size

    12.6MB

  • Sample

    240415-kkj8cach4v

  • MD5

    f0ad0a3397a5620fa45fc38eeb867532

  • SHA1

    da69ca4e9e1645754b5661b0b44b45c0fab33b64

  • SHA256

    dd658d43c571781fa7b766963ef9299de0fb64d09cdf20f7e8bcd286fefad71f

  • SHA512

    e66cd24b252a08b0036e3b3f32ffb7b59384c8e3c0d7d7cdb6f2c4795cb59e9741f3f28bfd5e760a4af69c7eff621776a8c7a1816945f72e5bbb44b319f2af3b

  • SSDEEP

    49152:aaafPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:a

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      f0ad0a3397a5620fa45fc38eeb867532_JaffaCakes118

    • Size

      12.6MB

    • MD5

      f0ad0a3397a5620fa45fc38eeb867532

    • SHA1

      da69ca4e9e1645754b5661b0b44b45c0fab33b64

    • SHA256

      dd658d43c571781fa7b766963ef9299de0fb64d09cdf20f7e8bcd286fefad71f

    • SHA512

      e66cd24b252a08b0036e3b3f32ffb7b59384c8e3c0d7d7cdb6f2c4795cb59e9741f3f28bfd5e760a4af69c7eff621776a8c7a1816945f72e5bbb44b319f2af3b

    • SSDEEP

      49152:aaafPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:a

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks