General

  • Target

    c7e3c29a30cffbdc9a1c8b20f8d49ba0_JaffaCakes118

  • Size

    13.4MB

  • Sample

    241205-qk3ycaslcm

  • MD5

    c7e3c29a30cffbdc9a1c8b20f8d49ba0

  • SHA1

    196e02f66bd9281f79e364bd553926dff2a36559

  • SHA256

    53334a426525497e8cb6ffff44e8b29cbfda8b1e6bfa3041604b272211b2f6e5

  • SHA512

    5483e6be0c230aea680abfbeb2751e529fb77f82e7507ab9e8c56a13ce859df18f7f2b2686a3314728fb5eb6b2e9f81306b4fb8cce4bf4f4d12c27baed0024d3

  • SSDEEP

    24576:sE2llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllB:sE

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c7e3c29a30cffbdc9a1c8b20f8d49ba0_JaffaCakes118

    • Size

      13.4MB

    • MD5

      c7e3c29a30cffbdc9a1c8b20f8d49ba0

    • SHA1

      196e02f66bd9281f79e364bd553926dff2a36559

    • SHA256

      53334a426525497e8cb6ffff44e8b29cbfda8b1e6bfa3041604b272211b2f6e5

    • SHA512

      5483e6be0c230aea680abfbeb2751e529fb77f82e7507ab9e8c56a13ce859df18f7f2b2686a3314728fb5eb6b2e9f81306b4fb8cce4bf4f4d12c27baed0024d3

    • SSDEEP

      24576:sE2llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllB:sE

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks