General

  • Target

    8efd6c8e0533ff95e0599cfa65959ce8_JaffaCakes118

  • Size

    255KB

  • Sample

    240812-q9jk1atfnj

  • MD5

    8efd6c8e0533ff95e0599cfa65959ce8

  • SHA1

    aab70771c2cd124013e3da4e46ccd523ced2089c

  • SHA256

    2837b9d85f67a85697cf2ea82fddbac1b980109931b5edb51819135d6f4781a7

  • SHA512

    6e66650dc4830a9c803649cb60f80fb1f125ea6572caf148e1ee979c86612891909a5201a617b1b95d164b937f1db48c1e6d84eeb8e580acc5bc3e166f35a54a

  • SSDEEP

    6144:nsGU1sOG5w4GSnr2gGGGGGGGGGGGGGGGGGGGGGy2eIstcjGGGGGGGGGGGGGGGGGt:sGU1pEAAA

Malware Config

Extracted

Family

tofsee

C2

31.210.119.2

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      8efd6c8e0533ff95e0599cfa65959ce8_JaffaCakes118

    • Size

      255KB

    • MD5

      8efd6c8e0533ff95e0599cfa65959ce8

    • SHA1

      aab70771c2cd124013e3da4e46ccd523ced2089c

    • SHA256

      2837b9d85f67a85697cf2ea82fddbac1b980109931b5edb51819135d6f4781a7

    • SHA512

      6e66650dc4830a9c803649cb60f80fb1f125ea6572caf148e1ee979c86612891909a5201a617b1b95d164b937f1db48c1e6d84eeb8e580acc5bc3e166f35a54a

    • SSDEEP

      6144:nsGU1sOG5w4GSnr2gGGGGGGGGGGGGGGGGGGGGGy2eIstcjGGGGGGGGGGGGGGGGGt:sGU1pEAAA

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks