General
-
Target
f56ce0db616131aab23985d13dfd55f4_JaffaCakes118
-
Size
10.7MB
-
Sample
240417-kyjhzaae34
-
MD5
f56ce0db616131aab23985d13dfd55f4
-
SHA1
53bedf97c325b3d0ec987dece302cf66e52e2ff3
-
SHA256
9737872b02523817b0be8bdcae4c70ec3477c5f7ef4a6ec35b5c45f29f0b2980
-
SHA512
b29d4a8328aedb8f30bd7758ba278ffacab1fc942db747639074d8ac5e87f5c40024412a1dbe75a8ebcfd7a410ad5dde022a1825f7c2558e1949928e8420b34e
-
SSDEEP
12288:AdY3RyLHWIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIP:AwyD
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Targets
-
-
Target
f56ce0db616131aab23985d13dfd55f4_JaffaCakes118
-
Size
10.7MB
-
MD5
f56ce0db616131aab23985d13dfd55f4
-
SHA1
53bedf97c325b3d0ec987dece302cf66e52e2ff3
-
SHA256
9737872b02523817b0be8bdcae4c70ec3477c5f7ef4a6ec35b5c45f29f0b2980
-
SHA512
b29d4a8328aedb8f30bd7758ba278ffacab1fc942db747639074d8ac5e87f5c40024412a1dbe75a8ebcfd7a410ad5dde022a1825f7c2558e1949928e8420b34e
-
SSDEEP
12288:AdY3RyLHWIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIP:AwyD
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2