tofsee | 7ec2f5fa69e89fa6c3e23ff269f55517ad6ccf833db9c33d13abeae3fe0eaf0f | Triage

Sharing

General

Target

15abd71fa9afdedfbc3f64e46c477ded_JaffaCakes118
Size

10.7MB
Sample

241005-b3r68ssdkd
MD5

15abd71fa9afdedfbc3f64e46c477ded
SHA1

4497a99e9a59dd93c0cf04ea356f491ae39bf709
SHA256

7ec2f5fa69e89fa6c3e23ff269f55517ad6ccf833db9c33d13abeae3fe0eaf0f
SHA512

51f6016b01d29ca1d0b3f233de56fcf8fa9d31ed104f1a8be7c0f8fbe6ab15a4d6d0e2ba98bb5f759f180d9e1a8faa1b41ea523aba8b6b37e2beebed74c0f89d
SSDEEP

6144:tvk9RADRUv1CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCP:uRAD

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  15abd71fa9afdedfbc3f64e46c477ded_JaffaCakes118
- Size
  
  10.7MB
- MD5
  
  15abd71fa9afdedfbc3f64e46c477ded
- SHA1
  
  4497a99e9a59dd93c0cf04ea356f491ae39bf709
- SHA256
  
  7ec2f5fa69e89fa6c3e23ff269f55517ad6ccf833db9c33d13abeae3fe0eaf0f
- SHA512
  
  51f6016b01d29ca1d0b3f233de56fcf8fa9d31ed104f1a8be7c0f8fbe6ab15a4d6d0e2ba98bb5f759f180d9e1a8faa1b41ea523aba8b6b37e2beebed74c0f89d
- SSDEEP
  
  6144:tvk9RADRUv1CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCP:uRAD
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan