General

  • Target

    7be29c6f07a591909370c730d25e0474_JaffaCakes118

  • Size

    11.1MB

  • Sample

    241029-ft3c3awapa

  • MD5

    7be29c6f07a591909370c730d25e0474

  • SHA1

    74a9d8c39bb05b732f9a2d53735f992626247355

  • SHA256

    c8eed2f9ea3d4118cfde872489aea27c34edc9720a218cf483f76528aa2a9a87

  • SHA512

    b0971bcb9dba67e8684e23b47f06e12f2d144fe2e21bec13fbe73265ff38476409b92415e2392fb6d003b8822ecea11a8ff6f52aaa8ae45bc9442aefbba47b77

  • SSDEEP

    196608:i+8888888888888888888888888888888888888888888888888888888888888H:j888888888888888888888888888888g

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      7be29c6f07a591909370c730d25e0474_JaffaCakes118

    • Size

      11.1MB

    • MD5

      7be29c6f07a591909370c730d25e0474

    • SHA1

      74a9d8c39bb05b732f9a2d53735f992626247355

    • SHA256

      c8eed2f9ea3d4118cfde872489aea27c34edc9720a218cf483f76528aa2a9a87

    • SHA512

      b0971bcb9dba67e8684e23b47f06e12f2d144fe2e21bec13fbe73265ff38476409b92415e2392fb6d003b8822ecea11a8ff6f52aaa8ae45bc9442aefbba47b77

    • SSDEEP

      196608:i+8888888888888888888888888888888888888888888888888888888888888H:j888888888888888888888888888888g

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks