General
-
Target
9a030a413b599096a4aa5ee0a16778c6_JaffaCakes118
-
Size
142KB
-
Sample
240606-fpp7yahc3w
-
MD5
9a030a413b599096a4aa5ee0a16778c6
-
SHA1
9a1f9c4e0710d6a020b3fba15b5b7067881eec2b
-
SHA256
fe075bbb51c5ab0cf88210f16d469c22642e916a3383020b81d449cffde92350
-
SHA512
f699fd20a6b67902100f7b31620e6dd58b920e13aa097d912983b4608753c86348876781c325def85f535c13e961bebb0c13d2046cb2a9dc23ccb3ca403e5e22
-
SSDEEP
3072:K9Tpm/Wn628S6rzTkYfiL2+jKfgi4m5nuGFU6W6WNE6QUj:FeEzwFLnKP46uCm
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
9a030a413b599096a4aa5ee0a16778c6_JaffaCakes118
-
Size
142KB
-
MD5
9a030a413b599096a4aa5ee0a16778c6
-
SHA1
9a1f9c4e0710d6a020b3fba15b5b7067881eec2b
-
SHA256
fe075bbb51c5ab0cf88210f16d469c22642e916a3383020b81d449cffde92350
-
SHA512
f699fd20a6b67902100f7b31620e6dd58b920e13aa097d912983b4608753c86348876781c325def85f535c13e961bebb0c13d2046cb2a9dc23ccb3ca403e5e22
-
SSDEEP
3072:K9Tpm/Wn628S6rzTkYfiL2+jKfgi4m5nuGFU6W6WNE6QUj:FeEzwFLnKP46uCm
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2