General

  • Target

    b08871025feb002765a540f39b640fee_JaffaCakes118

  • Size

    11.8MB

  • Sample

    241129-l6eenazkex

  • MD5

    b08871025feb002765a540f39b640fee

  • SHA1

    5d4c8973edab4863d5b70f9e01ac49099997476b

  • SHA256

    0fd540d43aaddcc641ea611c1622ea479425fbdaf9e37c7d2bd50a2e4379ed0d

  • SHA512

    d2293d5964b8181c03b107692ddb51b197ab74aeb84fe0f8fc299db7a1aa99193f920ec997108ccc6dfe05e725fd6dfc864d344b716cdc10a64da72410507629

  • SSDEEP

    49152:rGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGe:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      b08871025feb002765a540f39b640fee_JaffaCakes118

    • Size

      11.8MB

    • MD5

      b08871025feb002765a540f39b640fee

    • SHA1

      5d4c8973edab4863d5b70f9e01ac49099997476b

    • SHA256

      0fd540d43aaddcc641ea611c1622ea479425fbdaf9e37c7d2bd50a2e4379ed0d

    • SHA512

      d2293d5964b8181c03b107692ddb51b197ab74aeb84fe0f8fc299db7a1aa99193f920ec997108ccc6dfe05e725fd6dfc864d344b716cdc10a64da72410507629

    • SSDEEP

      49152:rGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGe:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks