General

  • Target

    JaffaCakes118_70c4dc37a874574a2492bb6748f1a59ebc65f552cd5897376f590b97a39bfacb

  • Size

    238KB

  • Sample

    241221-3ypdbsvmhn

  • MD5

    6a63a27463acb89e07b8cbf0f0433edc

  • SHA1

    bc1a529aed74b225ce5e349049f33fbaa6bbe979

  • SHA256

    70c4dc37a874574a2492bb6748f1a59ebc65f552cd5897376f590b97a39bfacb

  • SHA512

    9e67ac8156b5e5db743db2261c2b3f420c5b35ccee2685c96cb7d3c8ba626087d8d27e3afa7a80f4ae64dc3cc45057f6c11f740611e70a46131d295f2157a5d6

  • SSDEEP

    6144:mnuB6Towa8CWks6thYv7ITsq7igavwVf:muITowOs+hYv79

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_70c4dc37a874574a2492bb6748f1a59ebc65f552cd5897376f590b97a39bfacb

    • Size

      238KB

    • MD5

      6a63a27463acb89e07b8cbf0f0433edc

    • SHA1

      bc1a529aed74b225ce5e349049f33fbaa6bbe979

    • SHA256

      70c4dc37a874574a2492bb6748f1a59ebc65f552cd5897376f590b97a39bfacb

    • SHA512

      9e67ac8156b5e5db743db2261c2b3f420c5b35ccee2685c96cb7d3c8ba626087d8d27e3afa7a80f4ae64dc3cc45057f6c11f740611e70a46131d295f2157a5d6

    • SSDEEP

      6144:mnuB6Towa8CWks6thYv7ITsq7igavwVf:muITowOs+hYv79

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks