General

  • Target

    8fdee8d83874619366764213fcd3af8e_JaffaCakes118

  • Size

    14.3MB

  • Sample

    240812-xetwtaydrf

  • MD5

    8fdee8d83874619366764213fcd3af8e

  • SHA1

    22e413f0941c3c8b3e6c46fde20be41912c004d6

  • SHA256

    3710d6b2b408ece521c4dd9dbbaf3cb4396c10d42acbc0deb98f7f92a76de97a

  • SHA512

    574102f2c68a47e4c64177f90dbf1853f5fb1c8644dc33fc7c02b2c47775b1da998c348bebabdf7dd9b5d19f53a674a96b667d39e6c04cfb7a0aa9597ffbb545

  • SSDEEP

    393216:/88888888888888888888888888888888888888888888888888888888888888b:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      8fdee8d83874619366764213fcd3af8e_JaffaCakes118

    • Size

      14.3MB

    • MD5

      8fdee8d83874619366764213fcd3af8e

    • SHA1

      22e413f0941c3c8b3e6c46fde20be41912c004d6

    • SHA256

      3710d6b2b408ece521c4dd9dbbaf3cb4396c10d42acbc0deb98f7f92a76de97a

    • SHA512

      574102f2c68a47e4c64177f90dbf1853f5fb1c8644dc33fc7c02b2c47775b1da998c348bebabdf7dd9b5d19f53a674a96b667d39e6c04cfb7a0aa9597ffbb545

    • SSDEEP

      393216:/88888888888888888888888888888888888888888888888888888888888888b:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks