General
-
Target
f37390a26f9c15b9b1272b6cdd3ee383_JaffaCakes118
-
Size
14.6MB
-
Sample
241215-lxswpazrfz
-
MD5
f37390a26f9c15b9b1272b6cdd3ee383
-
SHA1
7b01075a1374f02fddbe51d2fee3525d11fc382b
-
SHA256
1a2930f4c27f868ebeaf35539931c849b83172e8c8d932fdb78c7117e87e7ed8
-
SHA512
d34b05867a9c582758ae7423a0a8e0c613ec2628002acd669409ff692d21b4e905ef350706ef6cc58c6db59045bcb27c0ba1e098a89a7a970a3c82ec26a74912
-
SSDEEP
24576:ZMV9biUnMNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN3:+Fn
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
f37390a26f9c15b9b1272b6cdd3ee383_JaffaCakes118
-
Size
14.6MB
-
MD5
f37390a26f9c15b9b1272b6cdd3ee383
-
SHA1
7b01075a1374f02fddbe51d2fee3525d11fc382b
-
SHA256
1a2930f4c27f868ebeaf35539931c849b83172e8c8d932fdb78c7117e87e7ed8
-
SHA512
d34b05867a9c582758ae7423a0a8e0c613ec2628002acd669409ff692d21b4e905ef350706ef6cc58c6db59045bcb27c0ba1e098a89a7a970a3c82ec26a74912
-
SSDEEP
24576:ZMV9biUnMNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN3:+Fn
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2