General
-
Target
f9496c106987b667046b3895dea478e6_JaffaCakes118
-
Size
13.0MB
-
Sample
240419-cq46psfb4s
-
MD5
f9496c106987b667046b3895dea478e6
-
SHA1
569bf8c79ad8488eb03343929118a52a223f8296
-
SHA256
ea8ca76b2aef52390b22087b4535723f4f11f82911bd78a7ed1bd6cfbdd46d8b
-
SHA512
8ef9534565f25f5a84a37fbd4af6ee94a0d4c643b3c80481818d07645c2d4f632a325e05ae2156b118fc2315431057a988d39055ad5e2121b0fefaa1a1556f70
-
SSDEEP
12288:3l5qOcvT9o+egMU+HoWfprc0sssssssssssssssssssssssssssssssssssssss:xcvT9ofeqrc
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
f9496c106987b667046b3895dea478e6_JaffaCakes118
-
Size
13.0MB
-
MD5
f9496c106987b667046b3895dea478e6
-
SHA1
569bf8c79ad8488eb03343929118a52a223f8296
-
SHA256
ea8ca76b2aef52390b22087b4535723f4f11f82911bd78a7ed1bd6cfbdd46d8b
-
SHA512
8ef9534565f25f5a84a37fbd4af6ee94a0d4c643b3c80481818d07645c2d4f632a325e05ae2156b118fc2315431057a988d39055ad5e2121b0fefaa1a1556f70
-
SSDEEP
12288:3l5qOcvT9o+egMU+HoWfprc0sssssssssssssssssssssssssssssssssssssss:xcvT9ofeqrc
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2