General

  • Target

    c3d9fe2d943feda5de737a9048437366_JaffaCakes118

  • Size

    14.2MB

  • Sample

    241204-w7jqwa1jbq

  • MD5

    c3d9fe2d943feda5de737a9048437366

  • SHA1

    6b520caa5749359728296add5bcbe968fe4def0f

  • SHA256

    1344f45dbbb1a9bd9854fa07e0db70efaa8ebfa6359c645d4d4739a3c06cbda6

  • SHA512

    66b7e5418e7ba66e5b0b2348fd1046d97cd99bc6857b2d4521081f4a6e4ac6f10c735b29375e4215ed75f86abfdbf4242796cde629d59017fb60ef33f67fb86d

  • SSDEEP

    24576:Kkp7SCOI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI+:KG

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c3d9fe2d943feda5de737a9048437366_JaffaCakes118

    • Size

      14.2MB

    • MD5

      c3d9fe2d943feda5de737a9048437366

    • SHA1

      6b520caa5749359728296add5bcbe968fe4def0f

    • SHA256

      1344f45dbbb1a9bd9854fa07e0db70efaa8ebfa6359c645d4d4739a3c06cbda6

    • SHA512

      66b7e5418e7ba66e5b0b2348fd1046d97cd99bc6857b2d4521081f4a6e4ac6f10c735b29375e4215ed75f86abfdbf4242796cde629d59017fb60ef33f67fb86d

    • SSDEEP

      24576:Kkp7SCOI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI1SDGI+:KG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks