General

  • Target

    78acc85d9c1ff8bcd03cf9a15fec8d08_JaffaCakes118

  • Size

    12.9MB

  • Sample

    241028-kghkcasmam

  • MD5

    78acc85d9c1ff8bcd03cf9a15fec8d08

  • SHA1

    92dec1567b3cb8d70ae8397110b8a82c30b5ca06

  • SHA256

    2ff16c73081301f457fc856f458d129953fbb7294273f31315b35fa6f71f2a0d

  • SHA512

    b4241c7aab47766929d0d86c008917be2ccb11b262f16144c0ed865e67b9f1a5b99d666c807cf0e4008443038c276e22c39fd74bd71a4a001878f7db27f7c202

  • SSDEEP

    49152:qcUGb2222222222222222222222222222222222222222222222222222222222G:qcU

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      78acc85d9c1ff8bcd03cf9a15fec8d08_JaffaCakes118

    • Size

      12.9MB

    • MD5

      78acc85d9c1ff8bcd03cf9a15fec8d08

    • SHA1

      92dec1567b3cb8d70ae8397110b8a82c30b5ca06

    • SHA256

      2ff16c73081301f457fc856f458d129953fbb7294273f31315b35fa6f71f2a0d

    • SHA512

      b4241c7aab47766929d0d86c008917be2ccb11b262f16144c0ed865e67b9f1a5b99d666c807cf0e4008443038c276e22c39fd74bd71a4a001878f7db27f7c202

    • SSDEEP

      49152:qcUGb2222222222222222222222222222222222222222222222222222222222G:qcU

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks