General

  • Target

    f26a8af7f9af71442c04f46b5bda6870_JaffaCakes118

  • Size

    11.3MB

  • Sample

    240416-cafs6sgc7x

  • MD5

    f26a8af7f9af71442c04f46b5bda6870

  • SHA1

    f5c5d89ad5f1695d7a5fdd6a2e1f84889b46e582

  • SHA256

    425fd34fb1131f5b712ca4b861bac754a708071051a3ca3282a99eabff79a531

  • SHA512

    d352bf595f97c28a45186d81e20fcd4a7291e90b48b73adf268bfe1c9d979080458dee8c036c17666d31109a1e6eddef63e1cf41f653a270411013712b085762

  • SSDEEP

    24576:YUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmX:YF15

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f26a8af7f9af71442c04f46b5bda6870_JaffaCakes118

    • Size

      11.3MB

    • MD5

      f26a8af7f9af71442c04f46b5bda6870

    • SHA1

      f5c5d89ad5f1695d7a5fdd6a2e1f84889b46e582

    • SHA256

      425fd34fb1131f5b712ca4b861bac754a708071051a3ca3282a99eabff79a531

    • SHA512

      d352bf595f97c28a45186d81e20fcd4a7291e90b48b73adf268bfe1c9d979080458dee8c036c17666d31109a1e6eddef63e1cf41f653a270411013712b085762

    • SSDEEP

      24576:YUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmX:YF15

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks