tofsee | afba2105b4e169404b3a9cf3bc73e10d943884b176bfeaa1fc54c985daa0bcd2 | Triage

Sharing

General

Target

fd10a12bfa4567277ceeeee89218d272_JaffaCakes118
Size

14.2MB
Sample

240420-sq294sca3w
MD5

fd10a12bfa4567277ceeeee89218d272
SHA1

1e4c7b5cd7fcd6c5f8d620951316c3dc60e55b19
SHA256

afba2105b4e169404b3a9cf3bc73e10d943884b176bfeaa1fc54c985daa0bcd2
SHA512

90e5592cbcb97e6301317679f8a0acec08f6409e400331528f5698d799c214112ca98ce3b37e7990d00e5a7d6d6c213aceb7d78a67a7c171ccb1f6728fba7411
SSDEEP

24576:YerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbL:YsW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  fd10a12bfa4567277ceeeee89218d272_JaffaCakes118
- Size
  
  14.2MB
- MD5
  
  fd10a12bfa4567277ceeeee89218d272
- SHA1
  
  1e4c7b5cd7fcd6c5f8d620951316c3dc60e55b19
- SHA256
  
  afba2105b4e169404b3a9cf3bc73e10d943884b176bfeaa1fc54c985daa0bcd2
- SHA512
  
  90e5592cbcb97e6301317679f8a0acec08f6409e400331528f5698d799c214112ca98ce3b37e7990d00e5a7d6d6c213aceb7d78a67a7c171ccb1f6728fba7411
- SSDEEP
  
  24576:YerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbL:YsW
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan