General

  • Target

    c296f02e4d3f5773f967172f8b0b352f_JaffaCakes118

  • Size

    12.8MB

  • Sample

    241204-p1yg5a1lbk

  • MD5

    c296f02e4d3f5773f967172f8b0b352f

  • SHA1

    a5ac3f8756b8ff7bf2a83eb0f452e86af572e776

  • SHA256

    fcb55991155828d579dcde0f155c8c295a1f1afcf5d497145535ac3dd13d40b8

  • SHA512

    15ab64be39838dfdda5d805ca998064a42189ab453c5152c5a1b49154042ee2fc93c05096d43d19cc684292e396c42878d0fd6de3c17a321d7ea3686addf7618

  • SSDEEP

    49152:KFUk///////////////////////////////////////////////////////////v:KF

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c296f02e4d3f5773f967172f8b0b352f_JaffaCakes118

    • Size

      12.8MB

    • MD5

      c296f02e4d3f5773f967172f8b0b352f

    • SHA1

      a5ac3f8756b8ff7bf2a83eb0f452e86af572e776

    • SHA256

      fcb55991155828d579dcde0f155c8c295a1f1afcf5d497145535ac3dd13d40b8

    • SHA512

      15ab64be39838dfdda5d805ca998064a42189ab453c5152c5a1b49154042ee2fc93c05096d43d19cc684292e396c42878d0fd6de3c17a321d7ea3686addf7618

    • SSDEEP

      49152:KFUk///////////////////////////////////////////////////////////v:KF

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks