General
-
Target
2e316d198cb4372d12133d6fdda7774f_JaffaCakes118
-
Size
12.0MB
-
Sample
241009-krw6gs1bjq
-
MD5
2e316d198cb4372d12133d6fdda7774f
-
SHA1
332966886416afa54689bf0c0641d43465103e51
-
SHA256
ac2b5f67e079686ab6ee26fa820836d8da7317ecc0837556c1efccd08013bedc
-
SHA512
9169bbf067b75397a140371fc5b32b2c61ed6788eddbef1f41d377e1725440b5e312d1015a249ce8f999b91f0c3f8b5d90834de2ce72922471661248c5fa0658
-
SSDEEP
49152:RJkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk8:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
2e316d198cb4372d12133d6fdda7774f_JaffaCakes118
-
Size
12.0MB
-
MD5
2e316d198cb4372d12133d6fdda7774f
-
SHA1
332966886416afa54689bf0c0641d43465103e51
-
SHA256
ac2b5f67e079686ab6ee26fa820836d8da7317ecc0837556c1efccd08013bedc
-
SHA512
9169bbf067b75397a140371fc5b32b2c61ed6788eddbef1f41d377e1725440b5e312d1015a249ce8f999b91f0c3f8b5d90834de2ce72922471661248c5fa0658
-
SSDEEP
49152:RJkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk8:
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2