General
-
Target
9d352b6068831670fae5abf011f496ed_JaffaCakes118
-
Size
11.2MB
-
Sample
241125-w6m2xawrdk
-
MD5
9d352b6068831670fae5abf011f496ed
-
SHA1
e5c0461326655b1c828ce17d694dc21fc23fdc3c
-
SHA256
63cdf16cd0b3d4c7b4b95be5afaa22532bc162806cc222f7e928d3a614d14c76
-
SHA512
b886596e31eb5549658a239d3370caa8acacfbf1bf57815853c1fbab513f80de8dd75bcf2b1f189e5697ccbd36fa8d9f7d925c13c91af4c7f576edb930c0c2a4
-
SSDEEP
98304:nn77777777777777777777777777777777777777777777777777777777777777:n
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
9d352b6068831670fae5abf011f496ed_JaffaCakes118
-
Size
11.2MB
-
MD5
9d352b6068831670fae5abf011f496ed
-
SHA1
e5c0461326655b1c828ce17d694dc21fc23fdc3c
-
SHA256
63cdf16cd0b3d4c7b4b95be5afaa22532bc162806cc222f7e928d3a614d14c76
-
SHA512
b886596e31eb5549658a239d3370caa8acacfbf1bf57815853c1fbab513f80de8dd75bcf2b1f189e5697ccbd36fa8d9f7d925c13c91af4c7f576edb930c0c2a4
-
SSDEEP
98304:nn77777777777777777777777777777777777777777777777777777777777777:n
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2