tofsee | 5ff58c63e54e4bbbc6b4ec1aff3abb6275f8692a9f42a25dc9fcec70438a6bc6 | Triage

Sharing

General

Target

fff0aab4de88fa3503e16290699ea84b_JaffaCakes118
Size

11.8MB
Sample

240421-xjsvbahh2x
MD5

fff0aab4de88fa3503e16290699ea84b
SHA1

9b6879a810a5f8609898f8f552067a237b67912b
SHA256

5ff58c63e54e4bbbc6b4ec1aff3abb6275f8692a9f42a25dc9fcec70438a6bc6
SHA512

3587ec145d1503bc06673592da1feca0e9d9fae5c6a968f2ee3d0ad37559a132a789d3e43205921413c5159c8aeac8789a4af0234ba894f74a04e9c436711c6e
SSDEEP

98304:+NWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllx:MW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  fff0aab4de88fa3503e16290699ea84b_JaffaCakes118
- Size
  
  11.8MB
- MD5
  
  fff0aab4de88fa3503e16290699ea84b
- SHA1
  
  9b6879a810a5f8609898f8f552067a237b67912b
- SHA256
  
  5ff58c63e54e4bbbc6b4ec1aff3abb6275f8692a9f42a25dc9fcec70438a6bc6
- SHA512
  
  3587ec145d1503bc06673592da1feca0e9d9fae5c6a968f2ee3d0ad37559a132a789d3e43205921413c5159c8aeac8789a4af0234ba894f74a04e9c436711c6e
- SSDEEP
  
  98304:+NWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllx:MW
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan