General

  • Target

    JaffaCakes118_e6989d9a9bfec4432d36ac3f6ab78bbc5a26e537454dd86fef8ff870c6375dbc

  • Size

    243KB

  • Sample

    241222-zvr39szjbn

  • MD5

    0951fa631d9b9f6c0b62c55fa8ff1c18

  • SHA1

    1e5b62640051bb5a70aabd3189e3a09c0864e1c7

  • SHA256

    e6989d9a9bfec4432d36ac3f6ab78bbc5a26e537454dd86fef8ff870c6375dbc

  • SHA512

    906bf4be6512c22ed1307fa00feed1590a3e34ba32251640211bbbcc49af33c995f32fb27dcd51fdce525b91fdd1afe1b0a22b6a912f12a521afb29d9e05488c

  • SSDEEP

    6144:TEZQ/ISjbrjw8vNivYFigPcYTzJ8CUlB1NCUw2lqc8:AZMjXjw8vEpgPTPJR2l9

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      JaffaCakes118_e6989d9a9bfec4432d36ac3f6ab78bbc5a26e537454dd86fef8ff870c6375dbc

    • Size

      243KB

    • MD5

      0951fa631d9b9f6c0b62c55fa8ff1c18

    • SHA1

      1e5b62640051bb5a70aabd3189e3a09c0864e1c7

    • SHA256

      e6989d9a9bfec4432d36ac3f6ab78bbc5a26e537454dd86fef8ff870c6375dbc

    • SHA512

      906bf4be6512c22ed1307fa00feed1590a3e34ba32251640211bbbcc49af33c995f32fb27dcd51fdce525b91fdd1afe1b0a22b6a912f12a521afb29d9e05488c

    • SSDEEP

      6144:TEZQ/ISjbrjw8vNivYFigPcYTzJ8CUlB1NCUw2lqc8:AZMjXjw8vEpgPTPJR2l9

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks