General
-
Target
fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118
-
Size
14.6MB
-
Sample
240420-m5373afe6x
-
MD5
fc9d27ffa867f7f49dee1251dae0344e
-
SHA1
442c6b101cc68df05cafe8503d4b24647dfe980f
-
SHA256
fe7eb1248703a1dad025d2a6095acc77e8b3731cf282ac652a0b6d490ea0832f
-
SHA512
d1fe29b5fe0d2ffa19ecd9641086954df472bd7876ecdf14cbf84f0b3f8365985adddcdc927fa81ce160d7de67ac3216d05b8b8542cfa52b4978073342e9fcd1
-
SSDEEP
49152:wjrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrX:S
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118
-
Size
14.6MB
-
MD5
fc9d27ffa867f7f49dee1251dae0344e
-
SHA1
442c6b101cc68df05cafe8503d4b24647dfe980f
-
SHA256
fe7eb1248703a1dad025d2a6095acc77e8b3731cf282ac652a0b6d490ea0832f
-
SHA512
d1fe29b5fe0d2ffa19ecd9641086954df472bd7876ecdf14cbf84f0b3f8365985adddcdc927fa81ce160d7de67ac3216d05b8b8542cfa52b4978073342e9fcd1
-
SSDEEP
49152:wjrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrX:S
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1