General

  • Target

    90795e4f8769ad53b9385229e6e07110_JaffaCakes118

  • Size

    305KB

  • Sample

    240812-1ykc9ssfmp

  • MD5

    90795e4f8769ad53b9385229e6e07110

  • SHA1

    0162b5f672ae5bf2ef7a480e10e633d3497f320d

  • SHA256

    417c4492f65c08009ce5772bec5917a8ece8769419da4ba39ea1afad46abdf43

  • SHA512

    2c23555d87abe5be28ff326bce76f13f687ae40a9bcddc226051a60f4bf4e2e35909f3ae026757c8a1cfde58614b130f58900d5d719d537b9ad5f246ecdc6447

  • SSDEEP

    6144:ixBHpmqLG7bFsnSqwkVI/+lL6MCOhxxFeTr/ekI:ibH3C7biJVI/+lL6+zxF6L

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      90795e4f8769ad53b9385229e6e07110_JaffaCakes118

    • Size

      305KB

    • MD5

      90795e4f8769ad53b9385229e6e07110

    • SHA1

      0162b5f672ae5bf2ef7a480e10e633d3497f320d

    • SHA256

      417c4492f65c08009ce5772bec5917a8ece8769419da4ba39ea1afad46abdf43

    • SHA512

      2c23555d87abe5be28ff326bce76f13f687ae40a9bcddc226051a60f4bf4e2e35909f3ae026757c8a1cfde58614b130f58900d5d719d537b9ad5f246ecdc6447

    • SSDEEP

      6144:ixBHpmqLG7bFsnSqwkVI/+lL6MCOhxxFeTr/ekI:ibH3C7biJVI/+lL6+zxF6L

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks