General

  • Target

    7bba0ff4a89197cd722d7f2b0cb64fd8_JaffaCakes118

  • Size

    11.9MB

  • Sample

    241029-emwfhavbmd

  • MD5

    7bba0ff4a89197cd722d7f2b0cb64fd8

  • SHA1

    a8ace94042d34b4f0dd7baa32bc85b6c8fe9c963

  • SHA256

    d72ac4743305a738a0fda64272d002ab491e2ab53da89d2f504e0676521d1958

  • SHA512

    b516e2ca8676353d1461a7424c2784ccd7dbf509ee5e000990aecb833358202e19819a46418f93007904dd1f0fa87804c9598e5f524c4d79220e7b7540cdeab4

  • SSDEEP

    24576:tMLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:tM

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      7bba0ff4a89197cd722d7f2b0cb64fd8_JaffaCakes118

    • Size

      11.9MB

    • MD5

      7bba0ff4a89197cd722d7f2b0cb64fd8

    • SHA1

      a8ace94042d34b4f0dd7baa32bc85b6c8fe9c963

    • SHA256

      d72ac4743305a738a0fda64272d002ab491e2ab53da89d2f504e0676521d1958

    • SHA512

      b516e2ca8676353d1461a7424c2784ccd7dbf509ee5e000990aecb833358202e19819a46418f93007904dd1f0fa87804c9598e5f524c4d79220e7b7540cdeab4

    • SSDEEP

      24576:tMLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:tM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks