General

  • Target

    f0d314f0095993e58ef3450fc29f91a8_JaffaCakes118

  • Size

    14.2MB

  • Sample

    240415-mcjb7acb34

  • MD5

    f0d314f0095993e58ef3450fc29f91a8

  • SHA1

    a93197f21d5c04a98be6ce7eb0295cb2bd6c2d1b

  • SHA256

    27d3458a7ed6711281cd23b81d30ca9989a794d6c43dc1e9e7b1a65c1519857e

  • SHA512

    f4485d7ae5d3bb2b77d6b9329d944b49edbe06f21369eaae966b6b20310824c12fd0d2bef3ddba1cc902b37e5e0d0585ee03adf0fcb1fc30bd368dff0139a187

  • SSDEEP

    12288:35oxrglLhHuVQyksr86fNBj++++++++++++++++++++++++++++++++++++++++G:QrmLoT91B

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f0d314f0095993e58ef3450fc29f91a8_JaffaCakes118

    • Size

      14.2MB

    • MD5

      f0d314f0095993e58ef3450fc29f91a8

    • SHA1

      a93197f21d5c04a98be6ce7eb0295cb2bd6c2d1b

    • SHA256

      27d3458a7ed6711281cd23b81d30ca9989a794d6c43dc1e9e7b1a65c1519857e

    • SHA512

      f4485d7ae5d3bb2b77d6b9329d944b49edbe06f21369eaae966b6b20310824c12fd0d2bef3ddba1cc902b37e5e0d0585ee03adf0fcb1fc30bd368dff0139a187

    • SSDEEP

      12288:35oxrglLhHuVQyksr86fNBj++++++++++++++++++++++++++++++++++++++++G:QrmLoT91B

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks