General

  • Target

    c659128a51feccbe01152e15254d507e_JaffaCakes118

  • Size

    15.0MB

  • Sample

    241205-g77qdaylhn

  • MD5

    c659128a51feccbe01152e15254d507e

  • SHA1

    917d99d4552a05870e9358e0de7053b3ba3e9482

  • SHA256

    acf8b2bcf6af380afd0b9f930bd707b342fde61b5fea32f79e4966a800fd7f50

  • SHA512

    172a9dacb46175d56a6d480329246d8e16fd742f83efff9b5927894b2a0bc34b800dc70392ddca906e3eca184669f4874a7f9bd854871e870e50315869b15257

  • SSDEEP

    1536:oijD738OroNKoBBDGqprbJD9RU/VHmubHMFaGkrESk8T9jKGtdvdmG:oij33broxDLVk/Nm7rSXBKGT

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c659128a51feccbe01152e15254d507e_JaffaCakes118

    • Size

      15.0MB

    • MD5

      c659128a51feccbe01152e15254d507e

    • SHA1

      917d99d4552a05870e9358e0de7053b3ba3e9482

    • SHA256

      acf8b2bcf6af380afd0b9f930bd707b342fde61b5fea32f79e4966a800fd7f50

    • SHA512

      172a9dacb46175d56a6d480329246d8e16fd742f83efff9b5927894b2a0bc34b800dc70392ddca906e3eca184669f4874a7f9bd854871e870e50315869b15257

    • SSDEEP

      1536:oijD738OroNKoBBDGqprbJD9RU/VHmubHMFaGkrESk8T9jKGtdvdmG:oij33broxDLVk/Nm7rSXBKGT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks