General
-
Target
0901ad2e62bd77a5a7bcf823d00c3950_JaffaCakes118
-
Size
13.6MB
-
Sample
241002-fmk57sybnm
-
MD5
0901ad2e62bd77a5a7bcf823d00c3950
-
SHA1
5774b58084266028ca060d3cfede4227f1436858
-
SHA256
17aabdec054b5a9968a906ff9060a0d02eacb6ad4554d592e42db785eabafa79
-
SHA512
5c1ed73accb0aa99a45f50d0ec3f1a23459e2dafb31932394706f990c64d7f9608f01ff8f990dd594e1f526f59822ad788da2b010a667ccbc438e53c63ee80c3
-
SSDEEP
24576:6BNzDipfYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYf:6BZi
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
0901ad2e62bd77a5a7bcf823d00c3950_JaffaCakes118
-
Size
13.6MB
-
MD5
0901ad2e62bd77a5a7bcf823d00c3950
-
SHA1
5774b58084266028ca060d3cfede4227f1436858
-
SHA256
17aabdec054b5a9968a906ff9060a0d02eacb6ad4554d592e42db785eabafa79
-
SHA512
5c1ed73accb0aa99a45f50d0ec3f1a23459e2dafb31932394706f990c64d7f9608f01ff8f990dd594e1f526f59822ad788da2b010a667ccbc438e53c63ee80c3
-
SSDEEP
24576:6BNzDipfYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYf:6BZi
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2