General

  • Target

    86c4a6095758513bcb590895ed3ba9e5_JaffaCakes118

  • Size

    11.4MB

  • Sample

    241102-wcqwps1cqb

  • MD5

    86c4a6095758513bcb590895ed3ba9e5

  • SHA1

    395ac4a6632eb2a9a55b9cfdc2e04bde0e87681f

  • SHA256

    4ec0c88acd4c018454f87a96b5ef6310bb2ae875729aca010726d74603142689

  • SHA512

    5a820bbbdfb5fc7663757e95b12b2827cbdad3b7fd355b5cf069fdb399531e9a402b4a696d4a0eec798d604e2f97093b041f4d1d53d894abab037fd2dcaf6be3

  • SSDEEP

    196608:S+8888888888888888888888888888888888888888888888888888888888888r:T888888888888888888888888888888c

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      86c4a6095758513bcb590895ed3ba9e5_JaffaCakes118

    • Size

      11.4MB

    • MD5

      86c4a6095758513bcb590895ed3ba9e5

    • SHA1

      395ac4a6632eb2a9a55b9cfdc2e04bde0e87681f

    • SHA256

      4ec0c88acd4c018454f87a96b5ef6310bb2ae875729aca010726d74603142689

    • SHA512

      5a820bbbdfb5fc7663757e95b12b2827cbdad3b7fd355b5cf069fdb399531e9a402b4a696d4a0eec798d604e2f97093b041f4d1d53d894abab037fd2dcaf6be3

    • SSDEEP

      196608:S+8888888888888888888888888888888888888888888888888888888888888r:T888888888888888888888888888888c

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks