General
-
Target
fd10a12bfa4567277ceeeee89218d272_JaffaCakes118
-
Size
14.2MB
-
Sample
240420-sq294sca3w
-
MD5
fd10a12bfa4567277ceeeee89218d272
-
SHA1
1e4c7b5cd7fcd6c5f8d620951316c3dc60e55b19
-
SHA256
afba2105b4e169404b3a9cf3bc73e10d943884b176bfeaa1fc54c985daa0bcd2
-
SHA512
90e5592cbcb97e6301317679f8a0acec08f6409e400331528f5698d799c214112ca98ce3b37e7990d00e5a7d6d6c213aceb7d78a67a7c171ccb1f6728fba7411
-
SSDEEP
24576:YerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbL:YsW
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
fd10a12bfa4567277ceeeee89218d272_JaffaCakes118
-
Size
14.2MB
-
MD5
fd10a12bfa4567277ceeeee89218d272
-
SHA1
1e4c7b5cd7fcd6c5f8d620951316c3dc60e55b19
-
SHA256
afba2105b4e169404b3a9cf3bc73e10d943884b176bfeaa1fc54c985daa0bcd2
-
SHA512
90e5592cbcb97e6301317679f8a0acec08f6409e400331528f5698d799c214112ca98ce3b37e7990d00e5a7d6d6c213aceb7d78a67a7c171ccb1f6728fba7411
-
SSDEEP
24576:YerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbL:YsW
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2