General

  • Target

    bd9639044643025556c8fbd6271fe5e5_JaffaCakes118

  • Size

    99KB

  • Sample

    240823-3r9qpatgne

  • MD5

    bd9639044643025556c8fbd6271fe5e5

  • SHA1

    3bedbea22ced1f577ba4925400b36a615221b72b

  • SHA256

    559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78

  • SHA512

    131f147c38e09778f35ebae81b8fab8fbd2a00f2ca49ef81092c3848e3f1645f51b263bdc6828a4c84c6998fe4f44c2b7f6afa9bf86fe2b153e2d0e894898393

  • SSDEEP

    1536:RsNWbgXg17VoOwIRvLHWQVBh6LK9oxJ2BHXdwvjTUctTiT9dFhm99UPBc/S:HdFicFLHWQ/h6HvNiTbU9UPO/S

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      bd9639044643025556c8fbd6271fe5e5_JaffaCakes118

    • Size

      99KB

    • MD5

      bd9639044643025556c8fbd6271fe5e5

    • SHA1

      3bedbea22ced1f577ba4925400b36a615221b72b

    • SHA256

      559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78

    • SHA512

      131f147c38e09778f35ebae81b8fab8fbd2a00f2ca49ef81092c3848e3f1645f51b263bdc6828a4c84c6998fe4f44c2b7f6afa9bf86fe2b153e2d0e894898393

    • SSDEEP

      1536:RsNWbgXg17VoOwIRvLHWQVBh6LK9oxJ2BHXdwvjTUctTiT9dFhm99UPBc/S:HdFicFLHWQ/h6HvNiTbU9UPO/S

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks