Overview

overview

10

Static

static

3

fc8f9838b7...18.exe

windows7-x64

10

fc8f9838b7...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc8f9838b702553e0ecef702ef97ce84_JaffaCakes118

  • Size

    11.9MB

  • Sample

    240420-mmcbmafa5x

  • MD5

    fc8f9838b702553e0ecef702ef97ce84

  • SHA1

    881df8e9dd0ae1c881e2b388befb16db0a55c6aa

  • SHA256

    8044cd332ec2aa866eecbec9aa0cc0dcf304b2de5772e1101366c2960e94fa40

  • SHA512

    020dd1109c79116f50a9124cafd14a1a634c1333e77b7de621ecea245c629eb607695bf56d0d9d4ebb00de5c4c6290c50b5e877c57a1251f1315f9635cbf4cc7

  • SSDEEP

    98304:kvjOF//////////////////////////////////////////////////////////n:O

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      fc8f9838b702553e0ecef702ef97ce84_JaffaCakes118

    • Size

      11.9MB

    • MD5

      fc8f9838b702553e0ecef702ef97ce84

    • SHA1

      881df8e9dd0ae1c881e2b388befb16db0a55c6aa

    • SHA256

      8044cd332ec2aa866eecbec9aa0cc0dcf304b2de5772e1101366c2960e94fa40

    • SHA512

      020dd1109c79116f50a9124cafd14a1a634c1333e77b7de621ecea245c629eb607695bf56d0d9d4ebb00de5c4c6290c50b5e877c57a1251f1315f9635cbf4cc7

    • SSDEEP

      98304:kvjOF//////////////////////////////////////////////////////////n:O

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks