tofsee | c56060ee4c891b8292ee11e09389bb360bd3abc5aabf1177de4d59938e4c8ed2 | Triage

Sharing

General

Target

JaffaCakes118_c56060ee4c891b8292ee11e09389bb360bd3abc5aabf1177de4d59938e4c8ed2
Size

342KB
Sample

241222-yjtx2sxjgx
MD5

d59317b58186bec4fcbb185c627a2146
SHA1

cac51347fb2b77384e971b4027fe9fc242cd26a3
SHA256

c56060ee4c891b8292ee11e09389bb360bd3abc5aabf1177de4d59938e4c8ed2
SHA512

2b15e8ed9e630d5fe3360e7f0c3cb248a66c06a5978f48621034e5544efb729150d78f03141ed47530b353d580190698d6210716d316663e3b1274a5394cf6a6
SSDEEP

6144:pownzj/xv5jECO8eaTd3pkQFoo3JXz7G7vyn7N4Bs:pHnvR3KQFoo3JXz7G784B

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_c56060ee4c891b8292ee11e09389bb360bd3abc5aabf1177de4d59938e4c8ed2
- Size
  
  342KB
- MD5
  
  d59317b58186bec4fcbb185c627a2146
- SHA1
  
  cac51347fb2b77384e971b4027fe9fc242cd26a3
- SHA256
  
  c56060ee4c891b8292ee11e09389bb360bd3abc5aabf1177de4d59938e4c8ed2
- SHA512
  
  2b15e8ed9e630d5fe3360e7f0c3cb248a66c06a5978f48621034e5544efb729150d78f03141ed47530b353d580190698d6210716d316663e3b1274a5394cf6a6
- SSDEEP
  
  6144:pownzj/xv5jECO8eaTd3pkQFoo3JXz7G7vyn7N4Bs:pHnvR3KQFoo3JXz7G784B
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan