General
-
Target
fd4589d275f0e0321e31a8b317ea8695_JaffaCakes118
-
Size
11.8MB
-
Sample
240420-v8dqksec4x
-
MD5
fd4589d275f0e0321e31a8b317ea8695
-
SHA1
8e5e57f7aa3e5554072e2de2a00d0ba039c3a56d
-
SHA256
d27317496cdfcf567823853f13ba4cca1d89c026034ffff2b9e776374d388010
-
SHA512
11b1fd8542ae7bb85447f51571307303162f3ea5f8d21015cc801d267e5d519832cca8bdbdc99202a0353963c580e9da864824a3922166a0b1c5093c8d0541a4
-
SSDEEP
12288:dl5qOcvT9o+egMU+HoWfprc0sssssssssssssssssssssssssssssssssssssssX:vcvT9ofeqrc
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
fd4589d275f0e0321e31a8b317ea8695_JaffaCakes118
-
Size
11.8MB
-
MD5
fd4589d275f0e0321e31a8b317ea8695
-
SHA1
8e5e57f7aa3e5554072e2de2a00d0ba039c3a56d
-
SHA256
d27317496cdfcf567823853f13ba4cca1d89c026034ffff2b9e776374d388010
-
SHA512
11b1fd8542ae7bb85447f51571307303162f3ea5f8d21015cc801d267e5d519832cca8bdbdc99202a0353963c580e9da864824a3922166a0b1c5093c8d0541a4
-
SSDEEP
12288:dl5qOcvT9o+egMU+HoWfprc0sssssssssssssssssssssssssssssssssssssssX:vcvT9ofeqrc
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1