tofsee | 5a1adef0a5770af6ba4fb757169cf8e7a59aa2cf09ce7d7087d4217a8bd6ff80 | Triage

Sharing

General

Target

JaffaCakes118_5a1adef0a5770af6ba4fb757169cf8e7a59aa2cf09ce7d7087d4217a8bd6ff80
Size

241KB
Sample

241221-22laeasrdx
MD5

9871085176380a51abb1b692934b263b
SHA1

c1f705ade7c401e98f0507e3c0ac866a8a3671f4
SHA256

5a1adef0a5770af6ba4fb757169cf8e7a59aa2cf09ce7d7087d4217a8bd6ff80
SHA512

c1d3e409c698d942a7a8f4a33e97826e5d5b0d61dfd2522cf271d5a96609e3660672806941db4052a8d72f385a3590fa9a20d987f0e1f9a46579f8c1e31e94d6
SSDEEP

6144:LLHu86jUJP6vgau9NQRFbG6w8uzbgwu6QigabwVf:m86jW6vKNQRFS6bunn5

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_5a1adef0a5770af6ba4fb757169cf8e7a59aa2cf09ce7d7087d4217a8bd6ff80
- Size
  
  241KB
- MD5
  
  9871085176380a51abb1b692934b263b
- SHA1
  
  c1f705ade7c401e98f0507e3c0ac866a8a3671f4
- SHA256
  
  5a1adef0a5770af6ba4fb757169cf8e7a59aa2cf09ce7d7087d4217a8bd6ff80
- SHA512
  
  c1d3e409c698d942a7a8f4a33e97826e5d5b0d61dfd2522cf271d5a96609e3660672806941db4052a8d72f385a3590fa9a20d987f0e1f9a46579f8c1e31e94d6
- SSDEEP
  
  6144:LLHu86jUJP6vgau9NQRFbG6w8uzbgwu6QigabwVf:m86jW6vKNQRFS6bunn5
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan