General

  • Target

    cd40e2ae400d9246093680878435e4c0_JaffaCakes118

  • Size

    11.3MB

  • Sample

    240831-vx4gvswclf

  • MD5

    cd40e2ae400d9246093680878435e4c0

  • SHA1

    9d8db6d204bd8d15650b48dfd8b68a464ed67c61

  • SHA256

    4bf9bf8d633e92cacd30456ef29f97945406ff53002d593fbb41ff6850e99c64

  • SHA512

    985135f88b10aaa0d0f06877cfa509f631fcf084c91e9a66461334891734c85135db029187cbb821a8e8c1de75b81263016adbfc1632dfd6e126c92225d62c77

  • SSDEEP

    196608:xrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh:Bhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhn

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      cd40e2ae400d9246093680878435e4c0_JaffaCakes118

    • Size

      11.3MB

    • MD5

      cd40e2ae400d9246093680878435e4c0

    • SHA1

      9d8db6d204bd8d15650b48dfd8b68a464ed67c61

    • SHA256

      4bf9bf8d633e92cacd30456ef29f97945406ff53002d593fbb41ff6850e99c64

    • SHA512

      985135f88b10aaa0d0f06877cfa509f631fcf084c91e9a66461334891734c85135db029187cbb821a8e8c1de75b81263016adbfc1632dfd6e126c92225d62c77

    • SSDEEP

      196608:xrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh:Bhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhn

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks