General

  • Target

    b119fb896ea6040e56512e505bacf2bb_JaffaCakes118

  • Size

    12.3MB

  • Sample

    240820-2frkaszhrq

  • MD5

    b119fb896ea6040e56512e505bacf2bb

  • SHA1

    fb84673bb09379dc30379e7468838e1a08ecd0bf

  • SHA256

    b73ff31b66db53d446fffaf62ffaa9f06aad06d931b819bbfcdfe7b42e555e5d

  • SHA512

    74f03841d6bf76475b1f42e4fcd5d7ae3e4e77edbc2b715dc7aa880db74f4e1b36da751c2966f1118d9dee77d8ff0fea682718533db94d87a0e3bac7f99018c2

  • SSDEEP

    196608:itPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPv:i

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      b119fb896ea6040e56512e505bacf2bb_JaffaCakes118

    • Size

      12.3MB

    • MD5

      b119fb896ea6040e56512e505bacf2bb

    • SHA1

      fb84673bb09379dc30379e7468838e1a08ecd0bf

    • SHA256

      b73ff31b66db53d446fffaf62ffaa9f06aad06d931b819bbfcdfe7b42e555e5d

    • SHA512

      74f03841d6bf76475b1f42e4fcd5d7ae3e4e77edbc2b715dc7aa880db74f4e1b36da751c2966f1118d9dee77d8ff0fea682718533db94d87a0e3bac7f99018c2

    • SSDEEP

      196608:itPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPv:i

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks