General

  • Target

    7aa6741e302f84504aa52aa5a2ce4325_JaffaCakes118

  • Size

    12.1MB

  • Sample

    241028-yxkljawepp

  • MD5

    7aa6741e302f84504aa52aa5a2ce4325

  • SHA1

    677ad05e27f235bf3fa558dd4e0d83f192f3037d

  • SHA256

    fd853dd51a98c78662de39fb48e4f5b71febbb8cfe895e78ee7f2633305ff25a

  • SHA512

    b4bb923b7b8b4cde620f276aa30e9a7812e4c596ace88d2d5c3d2e1ace22a9c8778725e237fb2602cbf403f9b67914544ae1a350cb1af5eaa99f77a32709277b

  • SSDEEP

    24576:hMLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:hM

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      7aa6741e302f84504aa52aa5a2ce4325_JaffaCakes118

    • Size

      12.1MB

    • MD5

      7aa6741e302f84504aa52aa5a2ce4325

    • SHA1

      677ad05e27f235bf3fa558dd4e0d83f192f3037d

    • SHA256

      fd853dd51a98c78662de39fb48e4f5b71febbb8cfe895e78ee7f2633305ff25a

    • SHA512

      b4bb923b7b8b4cde620f276aa30e9a7812e4c596ace88d2d5c3d2e1ace22a9c8778725e237fb2602cbf403f9b67914544ae1a350cb1af5eaa99f77a32709277b

    • SSDEEP

      24576:hMLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:hM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks