General

  • Target

    cb2054f02e24360d28f3f4ef40dbfd58_JaffaCakes118

  • Size

    10.1MB

  • Sample

    241206-ffsxga1mav

  • MD5

    cb2054f02e24360d28f3f4ef40dbfd58

  • SHA1

    4843dc886cf394697eeb6e8ed842f1fe05d66576

  • SHA256

    55a9f1cbe6fddf300a447d937630db33f557bfa3c3f7eb9209e3416775029666

  • SHA512

    d83df9267a18e5a7012dbb24796f6646951c30d3655ab938917f33a668d7e6ec4a1cab09339b07d717bdffa0ed845d574582342d542890b684d72affc6157b3e

  • SSDEEP

    24576:ZMLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX3:ZM

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      cb2054f02e24360d28f3f4ef40dbfd58_JaffaCakes118

    • Size

      10.1MB

    • MD5

      cb2054f02e24360d28f3f4ef40dbfd58

    • SHA1

      4843dc886cf394697eeb6e8ed842f1fe05d66576

    • SHA256

      55a9f1cbe6fddf300a447d937630db33f557bfa3c3f7eb9209e3416775029666

    • SHA512

      d83df9267a18e5a7012dbb24796f6646951c30d3655ab938917f33a668d7e6ec4a1cab09339b07d717bdffa0ed845d574582342d542890b684d72affc6157b3e

    • SSDEEP

      24576:ZMLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX3:ZM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks