General

  • Target

    8f68bf65b5b28fa550c5650ec14b78d3_JaffaCakes118

  • Size

    10.9MB

  • Sample

    240812-tqpvfstalb

  • MD5

    8f68bf65b5b28fa550c5650ec14b78d3

  • SHA1

    39d1d6db84502e030fbd7c47f6eed27e504b26b5

  • SHA256

    2a4b455e23fef927196d58334257db9ef6be78bd1a4512497057b20378f571f2

  • SHA512

    ba57cdbe64774b0af70326c11c6d36e62fa7d7af4874ffa061c3ebd1535b2653a042dbf8d77f998ceb5bd2eeae3ea88469f14fa2a1977578b0772cab358456a6

  • SSDEEP

    196608:LKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKG:LKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKG

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      8f68bf65b5b28fa550c5650ec14b78d3_JaffaCakes118

    • Size

      10.9MB

    • MD5

      8f68bf65b5b28fa550c5650ec14b78d3

    • SHA1

      39d1d6db84502e030fbd7c47f6eed27e504b26b5

    • SHA256

      2a4b455e23fef927196d58334257db9ef6be78bd1a4512497057b20378f571f2

    • SHA512

      ba57cdbe64774b0af70326c11c6d36e62fa7d7af4874ffa061c3ebd1535b2653a042dbf8d77f998ceb5bd2eeae3ea88469f14fa2a1977578b0772cab358456a6

    • SSDEEP

      196608:LKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKG:LKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks