General

  • Target

    82645945c9bc63d23da8e355065d8169_JaffaCakes118

  • Size

    12.5MB

  • Sample

    241031-jvzv4sthrc

  • MD5

    82645945c9bc63d23da8e355065d8169

  • SHA1

    4a487d6edbb8c9fa70a6296726788ff74e6a675c

  • SHA256

    378013409ea4fc145dcf70286fc119f61608b49411c7339af5755c09ad764217

  • SHA512

    5edd520a4d65a133acec61f4c4e074c999c17eaef31e3aedf32ad2e3d0804f80e4a510af86b28906e565934562329d99172b3a438350342bf57f73813557d866

  • SSDEEP

    98304:AWtAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0:A

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      82645945c9bc63d23da8e355065d8169_JaffaCakes118

    • Size

      12.5MB

    • MD5

      82645945c9bc63d23da8e355065d8169

    • SHA1

      4a487d6edbb8c9fa70a6296726788ff74e6a675c

    • SHA256

      378013409ea4fc145dcf70286fc119f61608b49411c7339af5755c09ad764217

    • SHA512

      5edd520a4d65a133acec61f4c4e074c999c17eaef31e3aedf32ad2e3d0804f80e4a510af86b28906e565934562329d99172b3a438350342bf57f73813557d866

    • SSDEEP

      98304:AWtAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0:A

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks