General

  • Target

    c7bfea0e1fa04342d6c32abe84e75acf_JaffaCakes118

  • Size

    10.9MB

  • Sample

    241205-pxqywavmdy

  • MD5

    c7bfea0e1fa04342d6c32abe84e75acf

  • SHA1

    f91b2ede055fa0e3348310ff0794409a3c857819

  • SHA256

    6de6aec6a5c130802bc31f27194e2deeab5e72dce322d925d270359a0a239f8a

  • SHA512

    57c4b451230c5b315ed58ce5467107a2a853985d06e05f63fd2e9e5e78fe20428a184cf637e6871642093ce3d907ae4a44e5d874e78da6c59c2f8e10a491b50d

  • SSDEEP

    196608:IXPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPH:I

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c7bfea0e1fa04342d6c32abe84e75acf_JaffaCakes118

    • Size

      10.9MB

    • MD5

      c7bfea0e1fa04342d6c32abe84e75acf

    • SHA1

      f91b2ede055fa0e3348310ff0794409a3c857819

    • SHA256

      6de6aec6a5c130802bc31f27194e2deeab5e72dce322d925d270359a0a239f8a

    • SHA512

      57c4b451230c5b315ed58ce5467107a2a853985d06e05f63fd2e9e5e78fe20428a184cf637e6871642093ce3d907ae4a44e5d874e78da6c59c2f8e10a491b50d

    • SSDEEP

      196608:IXPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPH:I

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks