General

  • Target

    88cc20a3d0f8245e86acacc144354ec3_JaffaCakes118

  • Size

    13.5MB

  • Sample

    241103-a75sfszfmd

  • MD5

    88cc20a3d0f8245e86acacc144354ec3

  • SHA1

    fa61201bf5ccc7b953f6800b5d124454c18c2a63

  • SHA256

    aff201b2d0bae43cb9142bb08c4310cdf6c05e2cbc90476ad2f3975bd4614aea

  • SHA512

    1cf2ca43855f4e87a27d276840e6699e288d231c89ae59c07708486e63bddf6a90726b3a032e2ab1fe58316072158292344a1ef94d8f1e2d25dae6286fc9ea11

  • SSDEEP

    49152:vGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGH:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      88cc20a3d0f8245e86acacc144354ec3_JaffaCakes118

    • Size

      13.5MB

    • MD5

      88cc20a3d0f8245e86acacc144354ec3

    • SHA1

      fa61201bf5ccc7b953f6800b5d124454c18c2a63

    • SHA256

      aff201b2d0bae43cb9142bb08c4310cdf6c05e2cbc90476ad2f3975bd4614aea

    • SHA512

      1cf2ca43855f4e87a27d276840e6699e288d231c89ae59c07708486e63bddf6a90726b3a032e2ab1fe58316072158292344a1ef94d8f1e2d25dae6286fc9ea11

    • SSDEEP

      49152:vGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGH:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks