General

  • Target

    c3f26a78e7cc7d7c1f3a22cd82c9df84_JaffaCakes118

  • Size

    14.1MB

  • Sample

    240826-2prawsyhmg

  • MD5

    c3f26a78e7cc7d7c1f3a22cd82c9df84

  • SHA1

    e0613a088747351994400b54311bb1ace6036364

  • SHA256

    45d0bb36312a53205b7a0e885ca97a5115946146c6fda31fefda101b6d487f28

  • SHA512

    eab255aff18a776b56f1bb7aa53eef8a15d916eff21660b6e82ed229a34bd67e7a444c52a942af8017e7c784219e240593ce31d89d357501588d2ba6a666bb8b

  • SSDEEP

    393216:+88888888888888888888888888888888888888888888888888888888888888/:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c3f26a78e7cc7d7c1f3a22cd82c9df84_JaffaCakes118

    • Size

      14.1MB

    • MD5

      c3f26a78e7cc7d7c1f3a22cd82c9df84

    • SHA1

      e0613a088747351994400b54311bb1ace6036364

    • SHA256

      45d0bb36312a53205b7a0e885ca97a5115946146c6fda31fefda101b6d487f28

    • SHA512

      eab255aff18a776b56f1bb7aa53eef8a15d916eff21660b6e82ed229a34bd67e7a444c52a942af8017e7c784219e240593ce31d89d357501588d2ba6a666bb8b

    • SSDEEP

      393216:+88888888888888888888888888888888888888888888888888888888888888/:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks