tofsee | e8775ba19c3e870f2d2b82ded8a857c1e398225c3cb2b3525d20e70441f9db48 | Triage

Sharing

General

Target

JaffaCakes118_e8775ba19c3e870f2d2b82ded8a857c1e398225c3cb2b3525d20e70441f9db48
Size

238KB
Sample

241222-c91bvszqe1
MD5

46b1ff10b780d1ce8d7be7ef3b86acb0
SHA1

e4e1e2e1c964f498f1bb9227ed48a7202e7a45a1
SHA256

e8775ba19c3e870f2d2b82ded8a857c1e398225c3cb2b3525d20e70441f9db48
SHA512

c6b57a4091205920954add28de487ba5e103cfdf688067ecf6431a41ccd1398ec24277e478d4df939b1c2e6a984bba838747a8ab4cd978aaeb8de6a78fe0a256
SSDEEP

3072:R7iI0UsrZRD2ALLqOju9/DyF6IZKVggjcGkNIVqI7sxkgaBChMpZa9uD6Vdyhkq:YHUsrZRDnLXu9GMSy7ITsq7igavwVf

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_e8775ba19c3e870f2d2b82ded8a857c1e398225c3cb2b3525d20e70441f9db48
- Size
  
  238KB
- MD5
  
  46b1ff10b780d1ce8d7be7ef3b86acb0
- SHA1
  
  e4e1e2e1c964f498f1bb9227ed48a7202e7a45a1
- SHA256
  
  e8775ba19c3e870f2d2b82ded8a857c1e398225c3cb2b3525d20e70441f9db48
- SHA512
  
  c6b57a4091205920954add28de487ba5e103cfdf688067ecf6431a41ccd1398ec24277e478d4df939b1c2e6a984bba838747a8ab4cd978aaeb8de6a78fe0a256
- SSDEEP
  
  3072:R7iI0UsrZRD2ALLqOju9/DyF6IZKVggjcGkNIVqI7sxkgaBChMpZa9uD6Vdyhkq:YHUsrZRDnLXu9GMSy7ITsq7igavwVf
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan