General

  • Target

    f0f55b32039fd69167a3ad128671ae41_JaffaCakes118

  • Size

    13.6MB

  • Sample

    240415-nn8xnaff61

  • MD5

    f0f55b32039fd69167a3ad128671ae41

  • SHA1

    3233fe4b9c7d88aa99c0f8c5c7916c6391838f73

  • SHA256

    216d9c0080c435c8a2bb79b9f80f4582be20297e1a2e0df6f01d43a6c6732ca0

  • SHA512

    78738d7cef7eab551e6eb1fbb6c3ea2515495a4b706282925ea5c3e5c4041369b5a8dcbb964095c267adbe97c0786f2814a779a68de3e7694803977f468c3a49

  • SSDEEP

    3072:eVSA/SsuaW0G4uXQgwQpcCLti0ulGMYM1:4asBW06XQpQpFpTulG3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      f0f55b32039fd69167a3ad128671ae41_JaffaCakes118

    • Size

      13.6MB

    • MD5

      f0f55b32039fd69167a3ad128671ae41

    • SHA1

      3233fe4b9c7d88aa99c0f8c5c7916c6391838f73

    • SHA256

      216d9c0080c435c8a2bb79b9f80f4582be20297e1a2e0df6f01d43a6c6732ca0

    • SHA512

      78738d7cef7eab551e6eb1fbb6c3ea2515495a4b706282925ea5c3e5c4041369b5a8dcbb964095c267adbe97c0786f2814a779a68de3e7694803977f468c3a49

    • SSDEEP

      3072:eVSA/SsuaW0G4uXQgwQpcCLti0ulGMYM1:4asBW06XQpQpFpTulG3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks