tofsee | 60581f93b3f00098492db1674e3862e8d0557bce69797c68cea7cc80bca39101 | Triage

Sharing

General

Target

JaffaCakes118_60581f93b3f00098492db1674e3862e8d0557bce69797c68cea7cc80bca39101
Size

287KB
Sample

241222-dga2ya1jg1
MD5

17bb61202a522c4c39b174e82418be79
SHA1

34b87524492f670c91e7c3a19ae50a13b6a4cf0c
SHA256

60581f93b3f00098492db1674e3862e8d0557bce69797c68cea7cc80bca39101
SHA512

62f299953cd4b369d33b24ac0d2118a2827554e21ce5d8ccccacc5263d8335a52ba17ea1fb1502075932333cf503a10ae0fa611c9b9485d98c81316edfbc2372
SSDEEP

3072:6Vy4W05xioLc9s0g2n9ICegMuBOd9KXaP3E+/ngr9+oKBJUIjgmLDJ1u1uakB9Yj:ifQ9hBO6XaP3/Q9+xzUug8/udG

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_60581f93b3f00098492db1674e3862e8d0557bce69797c68cea7cc80bca39101
- Size
  
  287KB
- MD5
  
  17bb61202a522c4c39b174e82418be79
- SHA1
  
  34b87524492f670c91e7c3a19ae50a13b6a4cf0c
- SHA256
  
  60581f93b3f00098492db1674e3862e8d0557bce69797c68cea7cc80bca39101
- SHA512
  
  62f299953cd4b369d33b24ac0d2118a2827554e21ce5d8ccccacc5263d8335a52ba17ea1fb1502075932333cf503a10ae0fa611c9b9485d98c81316edfbc2372
- SSDEEP
  
  3072:6Vy4W05xioLc9s0g2n9ICegMuBOd9KXaP3E+/ngr9+oKBJUIjgmLDJ1u1uakB9Yj:ifQ9hBO6XaP3/Q9+xzUug8/udG
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan