General

  • Target

    98e7381de211843e78398fa21469f8bb_JaffaCakes118

  • Size

    10.0MB

  • Sample

    240815-e2f95avbph

  • MD5

    98e7381de211843e78398fa21469f8bb

  • SHA1

    848c67e594f28d8b6fcc2f36e6f93e75ffca08c4

  • SHA256

    b7fbc878eb70660bbe5ed8fb0b6ce94e8ad2f70950dd6de9324707debfcccc16

  • SHA512

    1710838eed2658b8c1d36a242a6546909ddc7368fe155df65896867d7cad8d188343f5ef81b595a1ed917561243e10d6647affc3589f941f0d84ad2e4fd16ca0

  • SSDEEP

    98304:X999999999999999999999999999999999999999999999999999999999999999:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      98e7381de211843e78398fa21469f8bb_JaffaCakes118

    • Size

      10.0MB

    • MD5

      98e7381de211843e78398fa21469f8bb

    • SHA1

      848c67e594f28d8b6fcc2f36e6f93e75ffca08c4

    • SHA256

      b7fbc878eb70660bbe5ed8fb0b6ce94e8ad2f70950dd6de9324707debfcccc16

    • SHA512

      1710838eed2658b8c1d36a242a6546909ddc7368fe155df65896867d7cad8d188343f5ef81b595a1ed917561243e10d6647affc3589f941f0d84ad2e4fd16ca0

    • SSDEEP

      98304:X999999999999999999999999999999999999999999999999999999999999999:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks