General

  • Target

    7454b1a70a8f8acf82a9c2f9302d48d8_JaffaCakes118

  • Size

    12.3MB

  • Sample

    241024-s9fv8a1frf

  • MD5

    7454b1a70a8f8acf82a9c2f9302d48d8

  • SHA1

    38727c4e426faca0db4da54f73511eb10df8c22c

  • SHA256

    99bdf7a088252ed99a70a040d9453d7081a72d08ed1d76e3b2595f768803554c

  • SHA512

    10e31fbf5966bd7146490dbfe2e6d6582f5458e10c9fc33e1e8e1d7b86da10af30e2ea10ff180e5c70b3bb524ba2404d0d912ff6969c0f4627281e6bba8c349f

  • SSDEEP

    24576:KyNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNn:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      7454b1a70a8f8acf82a9c2f9302d48d8_JaffaCakes118

    • Size

      12.3MB

    • MD5

      7454b1a70a8f8acf82a9c2f9302d48d8

    • SHA1

      38727c4e426faca0db4da54f73511eb10df8c22c

    • SHA256

      99bdf7a088252ed99a70a040d9453d7081a72d08ed1d76e3b2595f768803554c

    • SHA512

      10e31fbf5966bd7146490dbfe2e6d6582f5458e10c9fc33e1e8e1d7b86da10af30e2ea10ff180e5c70b3bb524ba2404d0d912ff6969c0f4627281e6bba8c349f

    • SSDEEP

      24576:KyNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNhNn:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks