General
-
Target
f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118
-
Size
10.5MB
-
Sample
240416-t167gsge3w
-
MD5
f3df43ba132bdf2b35e4cff404cf6822
-
SHA1
1b9098442468602824c455d02e8a168a5beba1f1
-
SHA256
a90655570c4a2d65f49238f26f55c26b9d759fb37e320879a4947925d6d39ae1
-
SHA512
7f9b79450deb76f4f989d06fe521ea4d1bcd7c2fc3d07c97e529b341dc28564db49ba05d99e66a79b6c110d25062c2655618827b02cd9a2de3708bc9728ea9a1
-
SSDEEP
6144:xTNLKg3DE+aImImImImImImImImImImImImImImImImImImImImImImImImImImY:XeO
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
f3df43ba132bdf2b35e4cff404cf6822_JaffaCakes118
-
Size
10.5MB
-
MD5
f3df43ba132bdf2b35e4cff404cf6822
-
SHA1
1b9098442468602824c455d02e8a168a5beba1f1
-
SHA256
a90655570c4a2d65f49238f26f55c26b9d759fb37e320879a4947925d6d39ae1
-
SHA512
7f9b79450deb76f4f989d06fe521ea4d1bcd7c2fc3d07c97e529b341dc28564db49ba05d99e66a79b6c110d25062c2655618827b02cd9a2de3708bc9728ea9a1
-
SSDEEP
6144:xTNLKg3DE+aImImImImImImImImImImImImImImImImImImImImImImImImImImY:XeO
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1