General
-
Target
fb265b878143e9f87f425a597ac71de1_JaffaCakes118
-
Size
13.1MB
-
Sample
240419-zqsh8sfd22
-
MD5
fb265b878143e9f87f425a597ac71de1
-
SHA1
cb8a63893cab43fe38fba224ff7575e765748844
-
SHA256
5aca11b0e24e2d274f8e7b60a55859d0429a127cb02c1bb9024f0a53487b5e2e
-
SHA512
aac9299c75d64052d6abfc45c0b8e97c0871d1f594f392866e7212225b3000416ad6d8b639d0e70cbd500bdcc6c83359230aefed7b29f1e36038f3da57d9b41d
-
SSDEEP
12288:mBgw6aInPRfmCzFT+PUvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:Xw6tHRT+P
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
fb265b878143e9f87f425a597ac71de1_JaffaCakes118
-
Size
13.1MB
-
MD5
fb265b878143e9f87f425a597ac71de1
-
SHA1
cb8a63893cab43fe38fba224ff7575e765748844
-
SHA256
5aca11b0e24e2d274f8e7b60a55859d0429a127cb02c1bb9024f0a53487b5e2e
-
SHA512
aac9299c75d64052d6abfc45c0b8e97c0871d1f594f392866e7212225b3000416ad6d8b639d0e70cbd500bdcc6c83359230aefed7b29f1e36038f3da57d9b41d
-
SSDEEP
12288:mBgw6aInPRfmCzFT+PUvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:Xw6tHRT+P
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2