tofsee | 9c4dd198c1fcf7dac80b64a82f4c5b72f83441847ee772de5016d634154b4212 | Triage

Sharing

General

Target

JaffaCakes118_9c4dd198c1fcf7dac80b64a82f4c5b72f83441847ee772de5016d634154b4212
Size

316KB
Sample

241222-qgk85azmer
MD5

87a58dc8ac5becd9f987e106a98965df
SHA1

d8f43dc14b3947098acec7a6252dc559324acf00
SHA256

9c4dd198c1fcf7dac80b64a82f4c5b72f83441847ee772de5016d634154b4212
SHA512

2b024787793cd31a8b0cf8bdd83c3b3bc7534f6bb0cbb110d9a2b2253dfc14de45b5a7cb051d4befea4daf0e83e6f267828c48a54c66b411468b4518d1bc445a
SSDEEP

6144:gVhnD8gVlE30L2ybuj67CZ0jGv2Dq31jsoQK7k:0E30L2ybuj67CZ0jGv2Ijs1K4

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_9c4dd198c1fcf7dac80b64a82f4c5b72f83441847ee772de5016d634154b4212
- Size
  
  316KB
- MD5
  
  87a58dc8ac5becd9f987e106a98965df
- SHA1
  
  d8f43dc14b3947098acec7a6252dc559324acf00
- SHA256
  
  9c4dd198c1fcf7dac80b64a82f4c5b72f83441847ee772de5016d634154b4212
- SHA512
  
  2b024787793cd31a8b0cf8bdd83c3b3bc7534f6bb0cbb110d9a2b2253dfc14de45b5a7cb051d4befea4daf0e83e6f267828c48a54c66b411468b4518d1bc445a
- SSDEEP
  
  6144:gVhnD8gVlE30L2ybuj67CZ0jGv2Dq31jsoQK7k:0E30L2ybuj67CZ0jGv2Ijs1K4
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan