Resubmissions

27-10-2024 23:54

241027-3x742svhmh 10

27-10-2024 23:30

241027-3g5nzssnbr 10

General

  • Target

    768226535e8829a6a546849b0face680_JaffaCakes118

  • Size

    12.9MB

  • Sample

    241027-3x742svhmh

  • MD5

    768226535e8829a6a546849b0face680

  • SHA1

    e212fc31a3ba718726c487d9a29adfe828cc95fa

  • SHA256

    e91b0a17ead2c83c4fae8dbf4afbd30afce8d7686b5f2ed1c0790b166878e2d2

  • SHA512

    b4bb4c569e25d7ee19cba60a3b62ff632107dfdeb4b2e2af6816f8fd55a43167bf6082d8491d2338ecb1257f2c48ff3511211cfec807935560a7d666e90fb12a

  • SSDEEP

    12288:PZlC6v/5oQU6buXH53333333333333333333333333333333333333333333333X:PbjvluXH

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      768226535e8829a6a546849b0face680_JaffaCakes118

    • Size

      12.9MB

    • MD5

      768226535e8829a6a546849b0face680

    • SHA1

      e212fc31a3ba718726c487d9a29adfe828cc95fa

    • SHA256

      e91b0a17ead2c83c4fae8dbf4afbd30afce8d7686b5f2ed1c0790b166878e2d2

    • SHA512

      b4bb4c569e25d7ee19cba60a3b62ff632107dfdeb4b2e2af6816f8fd55a43167bf6082d8491d2338ecb1257f2c48ff3511211cfec807935560a7d666e90fb12a

    • SSDEEP

      12288:PZlC6v/5oQU6buXH53333333333333333333333333333333333333333333333X:PbjvluXH

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks