General
-
Target
ab5a722cf23e04a0b52b8c5ade4f0b59_JaffaCakes118
-
Size
13.6MB
-
Sample
241128-hg2xwaypc1
-
MD5
ab5a722cf23e04a0b52b8c5ade4f0b59
-
SHA1
bb0d8e54b0ce1da9fd8a5a3ed672e1c9c6482679
-
SHA256
a26f7652947374e349cb26848289669160c25d05ae4aa32f7246d06602f5b01f
-
SHA512
8bbc4d4a05167247dced49de5a8ca4eecd7e579e9812dfa3245d38916e1fcdf28b4cd6fe7cffa7dc8975222424f342cc37924d822fc6a699a8f8b8d40fb3740f
-
SSDEEP
3072:mQA1TtRdQBPuEcbBNu28bMEqfCxn2kuIPe7epgDnESZ25jnE26nnipm0ul4p7fLu:mQA1BRCu93f8bMEoFkYUlUUsap8foX
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
ab5a722cf23e04a0b52b8c5ade4f0b59_JaffaCakes118
-
Size
13.6MB
-
MD5
ab5a722cf23e04a0b52b8c5ade4f0b59
-
SHA1
bb0d8e54b0ce1da9fd8a5a3ed672e1c9c6482679
-
SHA256
a26f7652947374e349cb26848289669160c25d05ae4aa32f7246d06602f5b01f
-
SHA512
8bbc4d4a05167247dced49de5a8ca4eecd7e579e9812dfa3245d38916e1fcdf28b4cd6fe7cffa7dc8975222424f342cc37924d822fc6a699a8f8b8d40fb3740f
-
SSDEEP
3072:mQA1TtRdQBPuEcbBNu28bMEqfCxn2kuIPe7epgDnESZ25jnE26nnipm0ul4p7fLu:mQA1BRCu93f8bMEoFkYUlUUsap8foX
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2