General

  • Target

    bc1883b07b47423bd30645e54db4775c_JaffaCakes118

  • Size

    78KB

  • Sample

    241203-g8r2batlcv

  • MD5

    bc1883b07b47423bd30645e54db4775c

  • SHA1

    2b96b8027083c5c44189ac03bafcc71df82a8ee1

  • SHA256

    48c2b90f3474f4d286de08c54b114428b3d73497c0878b9a6185be07489d45d8

  • SHA512

    6185931b4a06cd38dfaaecd4a60160bf7b07fa9bec3a1a2da0a1bbcda5ad7cf7f78b1a55810e065a1c6f29c7b5bbd64d584172e3d7386f6195ba1c8b4b28a85e

  • SSDEEP

    1536:Kgzoa0BgdObHOjEb+96omECPxuXfDZEEkU3rHt81Hqf:Lzoa0yQnOhmEHCEkgry1H

Malware Config

Extracted

Family

tofsee

C2

185.4.227.76

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      bc1883b07b47423bd30645e54db4775c_JaffaCakes118

    • Size

      78KB

    • MD5

      bc1883b07b47423bd30645e54db4775c

    • SHA1

      2b96b8027083c5c44189ac03bafcc71df82a8ee1

    • SHA256

      48c2b90f3474f4d286de08c54b114428b3d73497c0878b9a6185be07489d45d8

    • SHA512

      6185931b4a06cd38dfaaecd4a60160bf7b07fa9bec3a1a2da0a1bbcda5ad7cf7f78b1a55810e065a1c6f29c7b5bbd64d584172e3d7386f6195ba1c8b4b28a85e

    • SSDEEP

      1536:Kgzoa0BgdObHOjEb+96omECPxuXfDZEEkU3rHt81Hqf:Lzoa0yQnOhmEHCEkgry1H

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks