Overview

overview

10

Static

static

3

5a6f1e62b8...18.exe

windows7-x64

10

5a6f1e62b8...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5a6f1e62b8443543418fe946cc21951c_JaffaCakes118

  • Size

    255KB

  • Sample

    240719-ew6ylawanf

  • MD5

    5a6f1e62b8443543418fe946cc21951c

  • SHA1

    4bb3dc57fd0dda3e85c3f156142d8670777336c5

  • SHA256

    231eebbfeac8480860af0aa2e57c275bf2c1e7fa26288fb1424cbbc9e261e69f

  • SHA512

    e11fe0aa39137381a877c908b27b5bab0a0421109526462dffbd84b81c9ba47a756677e77d1e0ebf1555e407598d1205a006080174efb783606e5977fe8a92d8

  • SSDEEP

    6144:csGUGKYxh+tcgagqz1YXoZcNYXoZcNYXoZcNYX:LGUGdh+tcgbqz1YXoZcNYXoZcNYXoZca

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

31.210.119.2

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      5a6f1e62b8443543418fe946cc21951c_JaffaCakes118

    • Size

      255KB

    • MD5

      5a6f1e62b8443543418fe946cc21951c

    • SHA1

      4bb3dc57fd0dda3e85c3f156142d8670777336c5

    • SHA256

      231eebbfeac8480860af0aa2e57c275bf2c1e7fa26288fb1424cbbc9e261e69f

    • SHA512

      e11fe0aa39137381a877c908b27b5bab0a0421109526462dffbd84b81c9ba47a756677e77d1e0ebf1555e407598d1205a006080174efb783606e5977fe8a92d8

    • SSDEEP

      6144:csGUGKYxh+tcgagqz1YXoZcNYXoZcNYXoZcNYX:LGUGdh+tcgbqz1YXoZcNYXoZcNYXoZca

    Score
    10/10
    tofseepersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks