General

  • Target

    8fd0cfb22b56e3349018b747d423ea78_JaffaCakes118

  • Size

    13.3MB

  • Sample

    240812-w4z9fstcqq

  • MD5

    8fd0cfb22b56e3349018b747d423ea78

  • SHA1

    f526d2a13853400a87ae2ffa475623354236c2a3

  • SHA256

    40521457634b9c3f1f369dc605d8ba3de4c595845a0f849f81edd6b42839677b

  • SHA512

    93f322771e02e606e00cc70f10b6d69908dbc5bc938b3de95f1cc0e0a212ac1547ecca59d85d384cc9f9c38b6c9755f600a1e2350369b1b5e2524bb527262411

  • SSDEEP

    196608:fXPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:f

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      8fd0cfb22b56e3349018b747d423ea78_JaffaCakes118

    • Size

      13.3MB

    • MD5

      8fd0cfb22b56e3349018b747d423ea78

    • SHA1

      f526d2a13853400a87ae2ffa475623354236c2a3

    • SHA256

      40521457634b9c3f1f369dc605d8ba3de4c595845a0f849f81edd6b42839677b

    • SHA512

      93f322771e02e606e00cc70f10b6d69908dbc5bc938b3de95f1cc0e0a212ac1547ecca59d85d384cc9f9c38b6c9755f600a1e2350369b1b5e2524bb527262411

    • SSDEEP

      196608:fXPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:f

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks