General

  • Target

    8294dd5787bd67b96be1626a0121cedb_JaffaCakes118

  • Size

    14.7MB

  • Sample

    241031-k6w42atncw

  • MD5

    8294dd5787bd67b96be1626a0121cedb

  • SHA1

    fff7eb9aa0c0607026f63a2e12c4452973084c7a

  • SHA256

    ed7060442c3826f98ea3a5a07d275ebee8e4c9d29ea299d7d689e54fe35f963c

  • SHA512

    0c5365afed982d9de2bf75658d54c7d6a3abd69a0e5c21b67e99c4b1a56e06ba31c2f24b4fc5669557c107858a681fbe13b8fe416e3105de327f71941b09c82d

  • SSDEEP

    393216:Yrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrn:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      8294dd5787bd67b96be1626a0121cedb_JaffaCakes118

    • Size

      14.7MB

    • MD5

      8294dd5787bd67b96be1626a0121cedb

    • SHA1

      fff7eb9aa0c0607026f63a2e12c4452973084c7a

    • SHA256

      ed7060442c3826f98ea3a5a07d275ebee8e4c9d29ea299d7d689e54fe35f963c

    • SHA512

      0c5365afed982d9de2bf75658d54c7d6a3abd69a0e5c21b67e99c4b1a56e06ba31c2f24b4fc5669557c107858a681fbe13b8fe416e3105de327f71941b09c82d

    • SSDEEP

      393216:Yrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrn:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks