General

  • Target

    81ea89d6b885907097699489aaca7261_JaffaCakes118

  • Size

    12.1MB

  • Sample

    241031-gsclpascpp

  • MD5

    81ea89d6b885907097699489aaca7261

  • SHA1

    cc04ba6273ce4ba0b083bbe93d992a3547cfd6c8

  • SHA256

    b0ec02ce75172989fde89ba52703aa80b53d3ca9d4d6d1985fa0d0c25fface99

  • SHA512

    eb40f112a368dddc382411cdebb8c31556122a28bcaa2893dc82f9b3fff40d8e5d7ed80049065da95150ee82e3ebe70bcdceeb0770c385bdad5faf259092182a

  • SSDEEP

    49152:18yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyP:1

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      81ea89d6b885907097699489aaca7261_JaffaCakes118

    • Size

      12.1MB

    • MD5

      81ea89d6b885907097699489aaca7261

    • SHA1

      cc04ba6273ce4ba0b083bbe93d992a3547cfd6c8

    • SHA256

      b0ec02ce75172989fde89ba52703aa80b53d3ca9d4d6d1985fa0d0c25fface99

    • SHA512

      eb40f112a368dddc382411cdebb8c31556122a28bcaa2893dc82f9b3fff40d8e5d7ed80049065da95150ee82e3ebe70bcdceeb0770c385bdad5faf259092182a

    • SSDEEP

      49152:18yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyP:1

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks