tofsee | de2c494713e4ca980f0f55c5d183def1f1a68c698eacd6627778b704566fce14 | Triage

Sharing

General

Target

72b6657e5633ebdcd2b4b49b034ab0d8_JaffaCakes118
Size

11.1MB
Sample

241024-hdryhaxdme
MD5

72b6657e5633ebdcd2b4b49b034ab0d8
SHA1

c8b0081902a005b88b18319e7488d81ab7a4d348
SHA256

de2c494713e4ca980f0f55c5d183def1f1a68c698eacd6627778b704566fce14
SHA512

ee9777886dad70c6d34aad658ab799668db3441ace3507ab1f686b44123206a7e8c14c7788e2260533af2eb50550c1120adaff69b886e9d75d5d92df751f6aa9
SSDEEP

24576:RPTYeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeO:RP

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  72b6657e5633ebdcd2b4b49b034ab0d8_JaffaCakes118
- Size
  
  11.1MB
- MD5
  
  72b6657e5633ebdcd2b4b49b034ab0d8
- SHA1
  
  c8b0081902a005b88b18319e7488d81ab7a4d348
- SHA256
  
  de2c494713e4ca980f0f55c5d183def1f1a68c698eacd6627778b704566fce14
- SHA512
  
  ee9777886dad70c6d34aad658ab799668db3441ace3507ab1f686b44123206a7e8c14c7788e2260533af2eb50550c1120adaff69b886e9d75d5d92df751f6aa9
- SSDEEP
  
  24576:RPTYeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeO:RP
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan