General

  • Target

    f1bcb7d5244183f7769af344a006781e_JaffaCakes118

  • Size

    13.1MB

  • Sample

    241215-b9lb9ssmep

  • MD5

    f1bcb7d5244183f7769af344a006781e

  • SHA1

    9a4fb8b9d36d1093b907bd00beb2244d13383300

  • SHA256

    a76d1b8d639dd74017ff5501f34a3cb2b59a0730b87a3663c82137a523ef23e3

  • SHA512

    8976637ed27c92e7f1a036e33885091a075727d1b56b4ecccddb9b02121d54e539888ebe7ef09dca410691fa41311fdfe73cb69a96c8134e70130e69d77b54f5

  • SSDEEP

    49152:T1yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllln:TA

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      f1bcb7d5244183f7769af344a006781e_JaffaCakes118

    • Size

      13.1MB

    • MD5

      f1bcb7d5244183f7769af344a006781e

    • SHA1

      9a4fb8b9d36d1093b907bd00beb2244d13383300

    • SHA256

      a76d1b8d639dd74017ff5501f34a3cb2b59a0730b87a3663c82137a523ef23e3

    • SHA512

      8976637ed27c92e7f1a036e33885091a075727d1b56b4ecccddb9b02121d54e539888ebe7ef09dca410691fa41311fdfe73cb69a96c8134e70130e69d77b54f5

    • SSDEEP

      49152:T1yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllln:TA

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks