General

  • Target

    d42410905ebfc55ce307d651eb9aed87_JaffaCakes118

  • Size

    11.2MB

  • Sample

    241207-3fjp5azmas

  • MD5

    d42410905ebfc55ce307d651eb9aed87

  • SHA1

    37595c2197d96f4b0ce890566f40fdea09fcda3c

  • SHA256

    7050047856783f62328b7b24667fae2d7e47a191850621e722f61a594a582504

  • SHA512

    d03075e2a85b1241a369d95b58143702bb88478959a8023aaee90155ab7299d19243e164017a71f2d79a056e429684efb9baaa8c8e6385ba195c888f7d1bdc71

  • SSDEEP

    196608:g5qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqX:g

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      d42410905ebfc55ce307d651eb9aed87_JaffaCakes118

    • Size

      11.2MB

    • MD5

      d42410905ebfc55ce307d651eb9aed87

    • SHA1

      37595c2197d96f4b0ce890566f40fdea09fcda3c

    • SHA256

      7050047856783f62328b7b24667fae2d7e47a191850621e722f61a594a582504

    • SHA512

      d03075e2a85b1241a369d95b58143702bb88478959a8023aaee90155ab7299d19243e164017a71f2d79a056e429684efb9baaa8c8e6385ba195c888f7d1bdc71

    • SSDEEP

      196608:g5qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqX:g

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks