tofsee | 2f5e67e49830e1dd0ca7de24e7cc02541246a74d7adeab3e5eae0c85c9f17860 | Triage

Sharing

General

Target

eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118
Size

109KB
Sample

241213-ptr2rsymaz
MD5

eb8a612690e24c3f087515f9a46a9fb0
SHA1

21d872dda244b67de9edc4942f7295d69616fa78
SHA256

2f5e67e49830e1dd0ca7de24e7cc02541246a74d7adeab3e5eae0c85c9f17860
SHA512

08d50e17ed8685d27a17161f57a7b6a77df31fd7d63fa09cdeb32a8e581da9df15302477e954024d3a0f67af4ab864bed18d891b65ccdc298233a7f183b27253
SSDEEP

1536:kok+6RyYuguJ+BsxKlb0Tz7OO2GHWy4TmQsd1B8HdezI0mF2jbxWGq6:kojey0uJTxKZUOOhICXU+hS2jbxWGq

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.211

188.130.237.71

185.25.48.10

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  eb8a612690e24c3f087515f9a46a9fb0_JaffaCakes118
- Size
  
  109KB
- MD5
  
  eb8a612690e24c3f087515f9a46a9fb0
- SHA1
  
  21d872dda244b67de9edc4942f7295d69616fa78
- SHA256
  
  2f5e67e49830e1dd0ca7de24e7cc02541246a74d7adeab3e5eae0c85c9f17860
- SHA512
  
  08d50e17ed8685d27a17161f57a7b6a77df31fd7d63fa09cdeb32a8e581da9df15302477e954024d3a0f67af4ab864bed18d891b65ccdc298233a7f183b27253
- SSDEEP
  
  1536:kok+6RyYuguJ+BsxKlb0Tz7OO2GHWy4TmQsd1B8HdezI0mF2jbxWGq6:kojey0uJTxKZUOOhICXU+hS2jbxWGq
Score

10^/10

tofsee discovery persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoverypersistencetrojan

behavioral2

tofseediscoverypersistencetrojan