General
-
Target
ff25472606e2de2bd621b467a6f969a2_JaffaCakes118
-
Size
13.4MB
-
Sample
240421-m85kashd82
-
MD5
ff25472606e2de2bd621b467a6f969a2
-
SHA1
c027a885b1dedebab96f8cfac9facbf5ae2cf14c
-
SHA256
6376859ba38701f4b0cf9fb970867d7e8b4712916181b26c72273e223b12d0a0
-
SHA512
98bb3fb60883d7c48f6ee328bb3cb59e7509b1baec769912bd63243cccccd573f4ca64aa137af01c602deeaca2f3f91fc03142cfcef06fe619323bbe0dbebb2d
-
SSDEEP
49152:AckGb2222222222222222222222222222222222222222222222222222222222n:Ack
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
ff25472606e2de2bd621b467a6f969a2_JaffaCakes118
-
Size
13.4MB
-
MD5
ff25472606e2de2bd621b467a6f969a2
-
SHA1
c027a885b1dedebab96f8cfac9facbf5ae2cf14c
-
SHA256
6376859ba38701f4b0cf9fb970867d7e8b4712916181b26c72273e223b12d0a0
-
SHA512
98bb3fb60883d7c48f6ee328bb3cb59e7509b1baec769912bd63243cccccd573f4ca64aa137af01c602deeaca2f3f91fc03142cfcef06fe619323bbe0dbebb2d
-
SSDEEP
49152:AckGb2222222222222222222222222222222222222222222222222222222222n:Ack
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2