Overview

overview

10

Static

static

3

feb515efe8...18.exe

windows7-x64

10

feb515efe8...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    feb515efe8237480211f2fabe3976bdf_JaffaCakes118

  • Size

    13.5MB

  • Sample

    240421-hq2y8sea6v

  • MD5

    feb515efe8237480211f2fabe3976bdf

  • SHA1

    d30c04512b4e2a34f1825b1fb8742be1d004cbc0

  • SHA256

    2668ea58977d5457c1bcb28d04d1b55692fc7d6a64bfc3413a2cede20e838cf4

  • SHA512

    a3eedc03386d4732ccd22bcaf04a4470bd711cbb3511390abe10394a4fbf5e1309adf549005816784a7e54ec1eb2f2bcdba1121bbe4bbd8460193fa3d70b9a8d

  • SSDEEP

    196608:r+TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTn:r

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      feb515efe8237480211f2fabe3976bdf_JaffaCakes118

    • Size

      13.5MB

    • MD5

      feb515efe8237480211f2fabe3976bdf

    • SHA1

      d30c04512b4e2a34f1825b1fb8742be1d004cbc0

    • SHA256

      2668ea58977d5457c1bcb28d04d1b55692fc7d6a64bfc3413a2cede20e838cf4

    • SHA512

      a3eedc03386d4732ccd22bcaf04a4470bd711cbb3511390abe10394a4fbf5e1309adf549005816784a7e54ec1eb2f2bcdba1121bbe4bbd8460193fa3d70b9a8d

    • SSDEEP

      196608:r+TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTn:r

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks