General

  • Target

    c09354355fb07d6facea3c22adda2229_JaffaCakes118

  • Size

    10.5MB

  • Sample

    241204-dwl3rayrey

  • MD5

    c09354355fb07d6facea3c22adda2229

  • SHA1

    73720603323de6932680de01f1ca5f71db192281

  • SHA256

    4a1faed551556efe2e1e3e4f1c333f78adeb905ebffc84e4575da1da95f2a3ad

  • SHA512

    cedcec999ca8c1d81733a5ecf1edeaa68a2a20fe124373a22276beb376148e4fa34be8ea5c52f13ffce0a45f44129a10d271a471084ba2b3f8ebbf422500782e

  • SSDEEP

    6144:mrZQVnJzxj5nP76vk7wQ6udJm1lzvGCUWlnpj:iZ2zxj5nPmRQ6QgjzOCnl

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c09354355fb07d6facea3c22adda2229_JaffaCakes118

    • Size

      10.5MB

    • MD5

      c09354355fb07d6facea3c22adda2229

    • SHA1

      73720603323de6932680de01f1ca5f71db192281

    • SHA256

      4a1faed551556efe2e1e3e4f1c333f78adeb905ebffc84e4575da1da95f2a3ad

    • SHA512

      cedcec999ca8c1d81733a5ecf1edeaa68a2a20fe124373a22276beb376148e4fa34be8ea5c52f13ffce0a45f44129a10d271a471084ba2b3f8ebbf422500782e

    • SSDEEP

      6144:mrZQVnJzxj5nP76vk7wQ6udJm1lzvGCUWlnpj:iZ2zxj5nPmRQ6QgjzOCnl

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks