General

  • Target

    6d18d177546eb637963d6a0eeb3850cd_JaffaCakes118

  • Size

    14.5MB

  • Sample

    241023-ex6zzssejr

  • MD5

    6d18d177546eb637963d6a0eeb3850cd

  • SHA1

    b32ad7c9cd878520c73dd07440cf603933c6df77

  • SHA256

    8573d926664e8e68863b4132353913030b894c358af74d436e50d3c00dcf73a3

  • SHA512

    22dfd4c0392b2a9e01f6f1794e4ddf7c0173862b5a4b5963bcc2c4e37e798cb3bb00651ae88a5fe31b5bb83c64082c1266b0834cd1633f740a0f25f939c43d38

  • SSDEEP

    6144:uNytwy0vP4gE/r4JSzyEc9T3M+0snM6rSuB:uI+XvP4Z4JSzyEg7r0snNB

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      6d18d177546eb637963d6a0eeb3850cd_JaffaCakes118

    • Size

      14.5MB

    • MD5

      6d18d177546eb637963d6a0eeb3850cd

    • SHA1

      b32ad7c9cd878520c73dd07440cf603933c6df77

    • SHA256

      8573d926664e8e68863b4132353913030b894c358af74d436e50d3c00dcf73a3

    • SHA512

      22dfd4c0392b2a9e01f6f1794e4ddf7c0173862b5a4b5963bcc2c4e37e798cb3bb00651ae88a5fe31b5bb83c64082c1266b0834cd1633f740a0f25f939c43d38

    • SSDEEP

      6144:uNytwy0vP4gE/r4JSzyEc9T3M+0snM6rSuB:uI+XvP4Z4JSzyEg7r0snNB

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks