General

  • Target

    b5499023bec1ab1093f9a5ebc8b494dc_JaffaCakes118

  • Size

    10.1MB

  • Sample

    241201-1kwjdasrds

  • MD5

    b5499023bec1ab1093f9a5ebc8b494dc

  • SHA1

    0fdef03dbf650bdb19080042bc0704c92e315a49

  • SHA256

    1aee6a5bcf5228486fc5cb5e14a547ba8874a409a930a407c366c6794a586d7a

  • SHA512

    4d8cf6ff7ee9b1650491671c73a7e0b2732c85265495f8a722421a011b48228d95fc8055e97e2c8c9fac082cd475a955894cfc265aed0d86fd85aa3cc8c1984f

  • SSDEEP

    98304:YYTPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPv:Y

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      b5499023bec1ab1093f9a5ebc8b494dc_JaffaCakes118

    • Size

      10.1MB

    • MD5

      b5499023bec1ab1093f9a5ebc8b494dc

    • SHA1

      0fdef03dbf650bdb19080042bc0704c92e315a49

    • SHA256

      1aee6a5bcf5228486fc5cb5e14a547ba8874a409a930a407c366c6794a586d7a

    • SHA512

      4d8cf6ff7ee9b1650491671c73a7e0b2732c85265495f8a722421a011b48228d95fc8055e97e2c8c9fac082cd475a955894cfc265aed0d86fd85aa3cc8c1984f

    • SSDEEP

      98304:YYTPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPv:Y

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks