General

  • Target

    71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118

  • Size

    144KB

  • Sample

    241024-cy3mvazhjg

  • MD5

    71efd5f8d2ad4c891d4d52f2cce17561

  • SHA1

    f34013094d0de6756de5c4979181e1a468836454

  • SHA256

    62c10c55dac6618eff4716e89de4bae41c429102fae8cae2f0ffc86a05ad82e2

  • SHA512

    0f8bab954b18c6e57a3bd0b1b685a5c4d4b194ab30c4b0e8a192cf57d9343c33e7b3f2ed9cb8a815f931b702c528d01ac58f30b8bfa3921854b285cd899bd7b0

  • SSDEEP

    3072:XNfr+k4XY4h+PhzjzrOdt9lES2jbxWGqe:XNf14D+PhznrOdmSbGqe

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      71efd5f8d2ad4c891d4d52f2cce17561_JaffaCakes118

    • Size

      144KB

    • MD5

      71efd5f8d2ad4c891d4d52f2cce17561

    • SHA1

      f34013094d0de6756de5c4979181e1a468836454

    • SHA256

      62c10c55dac6618eff4716e89de4bae41c429102fae8cae2f0ffc86a05ad82e2

    • SHA512

      0f8bab954b18c6e57a3bd0b1b685a5c4d4b194ab30c4b0e8a192cf57d9343c33e7b3f2ed9cb8a815f931b702c528d01ac58f30b8bfa3921854b285cd899bd7b0

    • SSDEEP

      3072:XNfr+k4XY4h+PhzjzrOdt9lES2jbxWGqe:XNf14D+PhznrOdmSbGqe

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks