General

  • Target

    bea00b0379c20b4acb5b72ddc0be12e1_JaffaCakes118

  • Size

    10.7MB

  • Sample

    241203-wxswssxlft

  • MD5

    bea00b0379c20b4acb5b72ddc0be12e1

  • SHA1

    046dd1c76a1fcecba03ab6af167c2aa1bec79c9d

  • SHA256

    d56b0df7f0c477e3c35c615cc0a4a1d43d3869ce43b48bcf79a9a415aedbc60a

  • SHA512

    073cef7a55c8c8b87cd97bd598a273bc1d5541bc34806898569efbc5c77975bc19699aa4d0375fca40313e4b777cd1ccc0c8c3de0c414676ef15b8ea082e57f9

  • SSDEEP

    6144:RPOE0xjG9DJs6XBy+UP29MX6TERERERERERERERERERERERERERERERERERERERl:k1xS9RdUe9MX6

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      bea00b0379c20b4acb5b72ddc0be12e1_JaffaCakes118

    • Size

      10.7MB

    • MD5

      bea00b0379c20b4acb5b72ddc0be12e1

    • SHA1

      046dd1c76a1fcecba03ab6af167c2aa1bec79c9d

    • SHA256

      d56b0df7f0c477e3c35c615cc0a4a1d43d3869ce43b48bcf79a9a415aedbc60a

    • SHA512

      073cef7a55c8c8b87cd97bd598a273bc1d5541bc34806898569efbc5c77975bc19699aa4d0375fca40313e4b777cd1ccc0c8c3de0c414676ef15b8ea082e57f9

    • SSDEEP

      6144:RPOE0xjG9DJs6XBy+UP29MX6TERERERERERERERERERERERERERERERERERERERl:k1xS9RdUe9MX6

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks