General

  • Target

    f1efb145c5dda056d48a9442dc04926a_JaffaCakes118

  • Size

    12.6MB

  • Sample

    240415-z2rq3sge69

  • MD5

    f1efb145c5dda056d48a9442dc04926a

  • SHA1

    eaebffb29a1611d484e18a11af6dfdabd05fec3e

  • SHA256

    d295cb6824f3b1dee15da5e235dd3af4cd06c839a7c56adf62be284c4763ac7a

  • SHA512

    d3cdac4f2d34d26d8896dfbc6e4b42d7169b8ecb110067846d35bd893c9540613a16eb98409b5e4997d88475be5127237fc58a2d3978285cb6dfba35d70c7902

  • SSDEEP

    196608:XE/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:XE

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f1efb145c5dda056d48a9442dc04926a_JaffaCakes118

    • Size

      12.6MB

    • MD5

      f1efb145c5dda056d48a9442dc04926a

    • SHA1

      eaebffb29a1611d484e18a11af6dfdabd05fec3e

    • SHA256

      d295cb6824f3b1dee15da5e235dd3af4cd06c839a7c56adf62be284c4763ac7a

    • SHA512

      d3cdac4f2d34d26d8896dfbc6e4b42d7169b8ecb110067846d35bd893c9540613a16eb98409b5e4997d88475be5127237fc58a2d3978285cb6dfba35d70c7902

    • SSDEEP

      196608:XE/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:XE

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks