General
-
Target
f532feaa674c93bdfc606c7aba94aaa4_JaffaCakes118
-
Size
14.4MB
-
Sample
240417-hcwv3aga38
-
MD5
f532feaa674c93bdfc606c7aba94aaa4
-
SHA1
b586b0de0001ba9ffad715997b751220b612c9e2
-
SHA256
d6478331f879c08cb4a0030a15f0cd885d76febbfd423ae5a890ac370efbf536
-
SHA512
fa7745bc43f14ba8f6eccc7c42c468fe2ebae3c3e86b2f65a9065bb733ca253350a43d5f2dd6c93348989396ab47f928e886360a44ae1d0de0bed71740e77972
-
SSDEEP
24576:qjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBH:qnh
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
f532feaa674c93bdfc606c7aba94aaa4_JaffaCakes118
-
Size
14.4MB
-
MD5
f532feaa674c93bdfc606c7aba94aaa4
-
SHA1
b586b0de0001ba9ffad715997b751220b612c9e2
-
SHA256
d6478331f879c08cb4a0030a15f0cd885d76febbfd423ae5a890ac370efbf536
-
SHA512
fa7745bc43f14ba8f6eccc7c42c468fe2ebae3c3e86b2f65a9065bb733ca253350a43d5f2dd6c93348989396ab47f928e886360a44ae1d0de0bed71740e77972
-
SSDEEP
24576:qjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBH:qnh
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2