General
-
Target
fbb4d43f90d6c4e44bc3d66bb4e00a7f_JaffaCakes118
-
Size
10.3MB
-
Sample
240420-cqhbyaeg7s
-
MD5
fbb4d43f90d6c4e44bc3d66bb4e00a7f
-
SHA1
71333f6fac993d9c6f1d7c853beffb364f0a5aaa
-
SHA256
5bc56bbb39fc526c456c171afcfd0f0861418f6acb277fd9304bf01023c9d40d
-
SHA512
59152fa21df817423fba2bf3a635f7228bcdd0ae88bbef766a3523e3609304ea86b4192637ed9f0a58b8a0211c918b3768628ac150aebafb7567f321137cb51f
-
SSDEEP
6144:UDLhwY9FPsMFYUaPWIXDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD/:WWSFPsycP
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
fbb4d43f90d6c4e44bc3d66bb4e00a7f_JaffaCakes118
-
Size
10.3MB
-
MD5
fbb4d43f90d6c4e44bc3d66bb4e00a7f
-
SHA1
71333f6fac993d9c6f1d7c853beffb364f0a5aaa
-
SHA256
5bc56bbb39fc526c456c171afcfd0f0861418f6acb277fd9304bf01023c9d40d
-
SHA512
59152fa21df817423fba2bf3a635f7228bcdd0ae88bbef766a3523e3609304ea86b4192637ed9f0a58b8a0211c918b3768628ac150aebafb7567f321137cb51f
-
SSDEEP
6144:UDLhwY9FPsMFYUaPWIXDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD/:WWSFPsycP
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2