General

  • Target

    a7850b3873bb5e9d60d120f66a1c353e_JaffaCakes118

  • Size

    12.5MB

  • Sample

    240818-vrf5daxgkk

  • MD5

    a7850b3873bb5e9d60d120f66a1c353e

  • SHA1

    ea556df8bdc7fba78f57b554e84e55fbae06cb5d

  • SHA256

    ebb879ab42cbdae6fe0c807684c73e6b7fbab715c6f85c934926824ded07297f

  • SHA512

    fa4aa8c5f0053356d60f7f89c777ef311fee0e878fc227326d39d93e78a6faccd36e43f5043427b21f7c40dcbcc762af96f82ff5e9d662ecfb83f6d0de6a4aae

  • SSDEEP

    196608:cLad4qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq6:cL

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      a7850b3873bb5e9d60d120f66a1c353e_JaffaCakes118

    • Size

      12.5MB

    • MD5

      a7850b3873bb5e9d60d120f66a1c353e

    • SHA1

      ea556df8bdc7fba78f57b554e84e55fbae06cb5d

    • SHA256

      ebb879ab42cbdae6fe0c807684c73e6b7fbab715c6f85c934926824ded07297f

    • SHA512

      fa4aa8c5f0053356d60f7f89c777ef311fee0e878fc227326d39d93e78a6faccd36e43f5043427b21f7c40dcbcc762af96f82ff5e9d662ecfb83f6d0de6a4aae

    • SSDEEP

      196608:cLad4qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq6:cL

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks