General

  • Target

    f13e333dc35ad1d14855e2bd8bd8d391_JaffaCakes118

  • Size

    11.0MB

  • Sample

    240415-re9dlsad6x

  • MD5

    f13e333dc35ad1d14855e2bd8bd8d391

  • SHA1

    57584ae3c363bd9b2b7f79d9862633afef5996c4

  • SHA256

    55c8d08d293133cf24ece025bb5c04f194fad8e63066d2c75c876993732c5a13

  • SHA512

    be910cd1d5a757d05ba696399798575f41fb8a2a7823bcd95ed96696398dcc2c24a0dfb587a3c8fcebb0da35af20e2480dc8f5b28a0b93349ede4e23997d24b7

  • SSDEEP

    24576:CerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:CsW

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f13e333dc35ad1d14855e2bd8bd8d391_JaffaCakes118

    • Size

      11.0MB

    • MD5

      f13e333dc35ad1d14855e2bd8bd8d391

    • SHA1

      57584ae3c363bd9b2b7f79d9862633afef5996c4

    • SHA256

      55c8d08d293133cf24ece025bb5c04f194fad8e63066d2c75c876993732c5a13

    • SHA512

      be910cd1d5a757d05ba696399798575f41fb8a2a7823bcd95ed96696398dcc2c24a0dfb587a3c8fcebb0da35af20e2480dc8f5b28a0b93349ede4e23997d24b7

    • SSDEEP

      24576:CerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:CsW

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks