Overview

overview

10

Static

static

3

23857773ee...18.exe

windows7-x64

10

23857773ee...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23857773eef5ec542ab9f8c9ee25d6c2_JaffaCakes118

  • Size

    98KB

  • Sample

    241008-w77gyawcph

  • MD5

    23857773eef5ec542ab9f8c9ee25d6c2

  • SHA1

    629ad3d505e0470e4b9477f9c862a3f475579970

  • SHA256

    eb51714bc9a3200707efbaf6a996dd51490c5674b129129eaba8cdddff96e8ba

  • SHA512

    6c67da82cf375e978f42a11eb678bb4a61593470e4fdd8447629682b3feb86ba615a3d7684fbe37f0c15b5960a669c7db9e6969112a99161140d08b7a3186938

  • SSDEEP

    1536:PA86xJ39qqj7pf//ndPtVwNtgszLgetXlII1LavPWoY27rCjjQSUd0:PqFFLVwgmgetXmI1WeoH1SUd0

Score
10/10
tofseediscoverypersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      23857773eef5ec542ab9f8c9ee25d6c2_JaffaCakes118

    • Size

      98KB

    • MD5

      23857773eef5ec542ab9f8c9ee25d6c2

    • SHA1

      629ad3d505e0470e4b9477f9c862a3f475579970

    • SHA256

      eb51714bc9a3200707efbaf6a996dd51490c5674b129129eaba8cdddff96e8ba

    • SHA512

      6c67da82cf375e978f42a11eb678bb4a61593470e4fdd8447629682b3feb86ba615a3d7684fbe37f0c15b5960a669c7db9e6969112a99161140d08b7a3186938

    • SSDEEP

      1536:PA86xJ39qqj7pf//ndPtVwNtgszLgetXlII1LavPWoY27rCjjQSUd0:PqFFLVwgmgetXmI1WeoH1SUd0

    Score
    10/10
    tofseediscoverypersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks