General

  • Target

    b598c70600e96cd21f5ee80cac5041b1_JaffaCakes118

  • Size

    14.3MB

  • Sample

    241201-24zktawqbz

  • MD5

    b598c70600e96cd21f5ee80cac5041b1

  • SHA1

    b5054afd240d38b4a452fbc3da6c11c99cb47aac

  • SHA256

    a5c89dbcfcc30b80354c001e087b061544c1e1f64a40e2b02935a4a1e9138252

  • SHA512

    4bf972d79628153e5b4f37d2979caa60cbb4d6093ce9979ccadfc468b466c797dcaa9cff3e2839e48419fe224de14f2c18b88602f3f89d47e5cd68f00edd8db2

  • SSDEEP

    196608:jXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      b598c70600e96cd21f5ee80cac5041b1_JaffaCakes118

    • Size

      14.3MB

    • MD5

      b598c70600e96cd21f5ee80cac5041b1

    • SHA1

      b5054afd240d38b4a452fbc3da6c11c99cb47aac

    • SHA256

      a5c89dbcfcc30b80354c001e087b061544c1e1f64a40e2b02935a4a1e9138252

    • SHA512

      4bf972d79628153e5b4f37d2979caa60cbb4d6093ce9979ccadfc468b466c797dcaa9cff3e2839e48419fe224de14f2c18b88602f3f89d47e5cd68f00edd8db2

    • SSDEEP

      196608:jXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks