General

  • Target

    94ed3d7a50e9c27987aad70ea10a5c8e_JaffaCakes118

  • Size

    258KB

  • Sample

    240813-12am8stbqq

  • MD5

    94ed3d7a50e9c27987aad70ea10a5c8e

  • SHA1

    3818ce4e703c6c5a8af47131c512a1d40b0e6a86

  • SHA256

    53370ee36464474b0e79b22a8c25d7cf3a4a7df91d2e7514646c0c830bc61ce3

  • SHA512

    3223f33eabc6e4c6849ce332dd4bf049e322fbb9e55f312a8db52506c23f6e8b28069f74f4c8b9f1fd301dd20cd1a2e877ba21f113d47ba3996ff1b848e4aeda

  • SSDEEP

    3072:yQ5Hi8F7bIDubF50+ToKK8DIuxFBsPFrvs+pK7mYXTlqdsS70L/b7as73YxhhA56:yQ5HJhb6cF5v9xvOJ6fZQ05IW8JBW7

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      94ed3d7a50e9c27987aad70ea10a5c8e_JaffaCakes118

    • Size

      258KB

    • MD5

      94ed3d7a50e9c27987aad70ea10a5c8e

    • SHA1

      3818ce4e703c6c5a8af47131c512a1d40b0e6a86

    • SHA256

      53370ee36464474b0e79b22a8c25d7cf3a4a7df91d2e7514646c0c830bc61ce3

    • SHA512

      3223f33eabc6e4c6849ce332dd4bf049e322fbb9e55f312a8db52506c23f6e8b28069f74f4c8b9f1fd301dd20cd1a2e877ba21f113d47ba3996ff1b848e4aeda

    • SSDEEP

      3072:yQ5Hi8F7bIDubF50+ToKK8DIuxFBsPFrvs+pK7mYXTlqdsS70L/b7as73YxhhA56:yQ5HJhb6cF5v9xvOJ6fZQ05IW8JBW7

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks