General

  • Target

    9fef7804e278db330f68567a8f2981cb_JaffaCakes118

  • Size

    11.3MB

  • Sample

    240816-zxs4caxblh

  • MD5

    9fef7804e278db330f68567a8f2981cb

  • SHA1

    7bfe128fd5d587262b2f6f0fe8845436cab4598b

  • SHA256

    041d4252fd88022880897cab2f7c42afd668742d9aba9e79c49882cf1fc212d4

  • SHA512

    b1bd08ffdd6b8f22525a178be0a4f626c8274fd2cd67b8cca61dd6fd31e86d110e880eed81587242a1bf65bf3f5ef2fd8e79b7323d8da7ac0088fec610a9714b

  • SSDEEP

    196608:qtPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPf:q

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      9fef7804e278db330f68567a8f2981cb_JaffaCakes118

    • Size

      11.3MB

    • MD5

      9fef7804e278db330f68567a8f2981cb

    • SHA1

      7bfe128fd5d587262b2f6f0fe8845436cab4598b

    • SHA256

      041d4252fd88022880897cab2f7c42afd668742d9aba9e79c49882cf1fc212d4

    • SHA512

      b1bd08ffdd6b8f22525a178be0a4f626c8274fd2cd67b8cca61dd6fd31e86d110e880eed81587242a1bf65bf3f5ef2fd8e79b7323d8da7ac0088fec610a9714b

    • SSDEEP

      196608:qtPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPf:q

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks