tofsee | b2863b08e563d89e40b7181aeb328dac3059e3ad06d0e7320a1645385d967d70 | Triage

Sharing

General

Target

JaffaCakes118_b2863b08e563d89e40b7181aeb328dac3059e3ad06d0e7320a1645385d967d70
Size

283KB
Sample

241222-jzpkya1jcq
MD5

cd9370a7d3a7a375303c7be483e3c373
SHA1

744b3550d465e0f03c8f3453124e3d6f60a220dc
SHA256

b2863b08e563d89e40b7181aeb328dac3059e3ad06d0e7320a1645385d967d70
SHA512

efcbb8c3432af8b06843c6bd5fa00eebd855a00ac9a47ed317a90c5e0f431e2eebff13a23d7d637562e14500470683633c98ac44edc072db16f082a74dcb8936
SSDEEP

3072:l2JH08WiAMFofigU4a3Wb1D1lCHX7k409ZOycCnAZTioXDQWt7kUxoj1:l250kFoq4Fb1ZlgLklI9HFkU

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  JaffaCakes118_b2863b08e563d89e40b7181aeb328dac3059e3ad06d0e7320a1645385d967d70
- Size
  
  283KB
- MD5
  
  cd9370a7d3a7a375303c7be483e3c373
- SHA1
  
  744b3550d465e0f03c8f3453124e3d6f60a220dc
- SHA256
  
  b2863b08e563d89e40b7181aeb328dac3059e3ad06d0e7320a1645385d967d70
- SHA512
  
  efcbb8c3432af8b06843c6bd5fa00eebd855a00ac9a47ed317a90c5e0f431e2eebff13a23d7d637562e14500470683633c98ac44edc072db16f082a74dcb8936
- SSDEEP
  
  3072:l2JH08WiAMFofigU4a3Wb1D1lCHX7k409ZOycCnAZTioXDQWt7kUxoj1:l250kFoq4Fb1ZlgLklI9HFkU
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan