General

  • Target

    c2496d5d782576cee9b980a4852aa848_JaffaCakes118

  • Size

    13.6MB

  • Sample

    241204-ndabcatnas

  • MD5

    c2496d5d782576cee9b980a4852aa848

  • SHA1

    c2fba555557331a154db390b526b52235aafb12e

  • SHA256

    ca7f8f6861626af97a6f68ca54f5744ba6867cc365f14500191c7e0640806137

  • SHA512

    a5b797846b2f1e36f7652fcb7b8ead141a49fd5407ef7f9978be557d4a64ae0d69386e3ffb0723d1e3a20d5c84568d4cfdef05011ac0f007a46d722cc24373e1

  • SSDEEP

    6144:3ngjLKfnGE+Nj43Gd/50NS0UG4th+d49EOVVVVVVVVVVVVVVVVVVVVVVVVVVVVVn:wiOE+Nj4Q50k0UGIh+dJ

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c2496d5d782576cee9b980a4852aa848_JaffaCakes118

    • Size

      13.6MB

    • MD5

      c2496d5d782576cee9b980a4852aa848

    • SHA1

      c2fba555557331a154db390b526b52235aafb12e

    • SHA256

      ca7f8f6861626af97a6f68ca54f5744ba6867cc365f14500191c7e0640806137

    • SHA512

      a5b797846b2f1e36f7652fcb7b8ead141a49fd5407ef7f9978be557d4a64ae0d69386e3ffb0723d1e3a20d5c84568d4cfdef05011ac0f007a46d722cc24373e1

    • SSDEEP

      6144:3ngjLKfnGE+Nj43Gd/50NS0UG4th+d49EOVVVVVVVVVVVVVVVVVVVVVVVVVVVVVn:wiOE+Nj4Q50k0UGIh+dJ

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks