General
-
Target
f3baa4ed45dc9d0b254f70e6e4b0ac0f_JaffaCakes118
-
Size
344KB
-
Sample
240416-schzbaee4v
-
MD5
f3baa4ed45dc9d0b254f70e6e4b0ac0f
-
SHA1
b3aa03c4bebf4d65227f54f2cafd1e50daa8aebe
-
SHA256
16fdbb6f45f722fffffafa455e8c5dd268c895e6b050031f40ab557be5240332
-
SHA512
13d2af499e0ae5819ced2d9086926dbd73259efa24e64705651899f6f1d730e8ed0b36d3438d4271a9254979f132523a3fb9f0994bb77a2a1d2105618f0bbb4a
-
SSDEEP
6144:BPhtfImvvB2SRwvGklHadh1jCTz9Up+pcBywGFIutJ1H:BXIuvBPRw+klH+PjCn9UpJBlGO
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
f3baa4ed45dc9d0b254f70e6e4b0ac0f_JaffaCakes118
-
Size
344KB
-
MD5
f3baa4ed45dc9d0b254f70e6e4b0ac0f
-
SHA1
b3aa03c4bebf4d65227f54f2cafd1e50daa8aebe
-
SHA256
16fdbb6f45f722fffffafa455e8c5dd268c895e6b050031f40ab557be5240332
-
SHA512
13d2af499e0ae5819ced2d9086926dbd73259efa24e64705651899f6f1d730e8ed0b36d3438d4271a9254979f132523a3fb9f0994bb77a2a1d2105618f0bbb4a
-
SSDEEP
6144:BPhtfImvvB2SRwvGklHadh1jCTz9Up+pcBywGFIutJ1H:BXIuvBPRw+klH+PjCn9UpJBlGO
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2