General

  • Target

    73ef66f715ba43148ec31a08ce599632_JaffaCakes118

  • Size

    11.4MB

  • Sample

    241024-qmqe2asgqq

  • MD5

    73ef66f715ba43148ec31a08ce599632

  • SHA1

    6cef6bcfe4d5b25a51b767915f8c035b0a830eda

  • SHA256

    19c9419bffef0d0af1b7c15b0f067b23dd8e11184773d907dad4a7ec4c18b04c

  • SHA512

    a556c3b1b74c1e07569c4f5b30230fd3c54a30be4576ac993bc6bd37ca879ed99b5fb00616b9fabfba304133e48098717c5de0e772d029decde12ce210601a28

  • SSDEEP

    49152:h88888888888888888888888888888888888888888888888888888888888888w:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      73ef66f715ba43148ec31a08ce599632_JaffaCakes118

    • Size

      11.4MB

    • MD5

      73ef66f715ba43148ec31a08ce599632

    • SHA1

      6cef6bcfe4d5b25a51b767915f8c035b0a830eda

    • SHA256

      19c9419bffef0d0af1b7c15b0f067b23dd8e11184773d907dad4a7ec4c18b04c

    • SHA512

      a556c3b1b74c1e07569c4f5b30230fd3c54a30be4576ac993bc6bd37ca879ed99b5fb00616b9fabfba304133e48098717c5de0e772d029decde12ce210601a28

    • SSDEEP

      49152:h88888888888888888888888888888888888888888888888888888888888888w:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks