General
-
Target
bf36675d6c02b283f1c2586de365331a_JaffaCakes118
-
Size
255KB
-
Sample
240824-xmj2kstgkd
-
MD5
bf36675d6c02b283f1c2586de365331a
-
SHA1
211ee565c3a4b1f6c2e145886765fda29a0e2f82
-
SHA256
3aa7557525a4ff59a8cd3aecd67c987afaa744274019f2a94ae6ac87c076cbb4
-
SHA512
19a28b13b3f07131e5f1fb95dcefed9cf35cf9b634486e135dc6712ab4ce56a4030db95a3da09c1842bc7b02ab94c223596aa9f4a1613b9a2bb84844c43772a3
-
SSDEEP
6144:ZoNWDuj1aozoPz1mCO6fXuWmsQfscFIPW7z:Zhq8okPz+6/uWlQJV
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
bf36675d6c02b283f1c2586de365331a_JaffaCakes118
-
Size
255KB
-
MD5
bf36675d6c02b283f1c2586de365331a
-
SHA1
211ee565c3a4b1f6c2e145886765fda29a0e2f82
-
SHA256
3aa7557525a4ff59a8cd3aecd67c987afaa744274019f2a94ae6ac87c076cbb4
-
SHA512
19a28b13b3f07131e5f1fb95dcefed9cf35cf9b634486e135dc6712ab4ce56a4030db95a3da09c1842bc7b02ab94c223596aa9f4a1613b9a2bb84844c43772a3
-
SSDEEP
6144:ZoNWDuj1aozoPz1mCO6fXuWmsQfscFIPW7z:Zhq8okPz+6/uWlQJV
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2