tofsee | dc29002568fbc6453ba1d57da0ecac5b759464026b4d3d110abc4daf36e7de00 | Triage

Sharing

General

Target

fe624503ac7e44c8dcf7931bee3d7628_JaffaCakes118
Size

14.7MB
Sample

240421-eleflaag7w
MD5

fe624503ac7e44c8dcf7931bee3d7628
SHA1

e3750c0623555c8f7e1500825215d21a4a106319
SHA256

dc29002568fbc6453ba1d57da0ecac5b759464026b4d3d110abc4daf36e7de00
SHA512

96c6c25d2b2d7f8fc87a49a96c461ba2fb3e08f46795c4acd9999af1a7bd676fa07d5829d914f37a90516d3acef13b2e2f62530efb316a83ee04175da2248d6a
SSDEEP

24576:Ogdy5yNM4444444444444444444444444444444444444444444444444444444U:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  fe624503ac7e44c8dcf7931bee3d7628_JaffaCakes118
- Size
  
  14.7MB
- MD5
  
  fe624503ac7e44c8dcf7931bee3d7628
- SHA1
  
  e3750c0623555c8f7e1500825215d21a4a106319
- SHA256
  
  dc29002568fbc6453ba1d57da0ecac5b759464026b4d3d110abc4daf36e7de00
- SHA512
  
  96c6c25d2b2d7f8fc87a49a96c461ba2fb3e08f46795c4acd9999af1a7bd676fa07d5829d914f37a90516d3acef13b2e2f62530efb316a83ee04175da2248d6a
- SSDEEP
  
  24576:Ogdy5yNM4444444444444444444444444444444444444444444444444444444U:
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan