General

  • Target

    JaffaCakes118_06850f2d0142e810f57813c7c913a4e12b4c9469faf9056bc451cc31740cf96b

  • Size

    237KB

  • Sample

    241223-3kft2avphj

  • MD5

    a8e1e66bdfc7d5f1f1eb757ac9686f22

  • SHA1

    b7328c79b0abdfc31025b6a9f8eec0055d0a87b9

  • SHA256

    06850f2d0142e810f57813c7c913a4e12b4c9469faf9056bc451cc31740cf96b

  • SHA512

    9f59d72958342d0224d9d3bc1658ab40352e41c341e85766b45295068d433fe2237f065774aa402cebb749c3498434831f303161f7a8ceaa2f5c9454f4099d3d

  • SSDEEP

    6144:+X2ED6j2XJ21RnZKA/CBph7ITsq7igavwVf:+X246iXcZK5h79

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_06850f2d0142e810f57813c7c913a4e12b4c9469faf9056bc451cc31740cf96b

    • Size

      237KB

    • MD5

      a8e1e66bdfc7d5f1f1eb757ac9686f22

    • SHA1

      b7328c79b0abdfc31025b6a9f8eec0055d0a87b9

    • SHA256

      06850f2d0142e810f57813c7c913a4e12b4c9469faf9056bc451cc31740cf96b

    • SHA512

      9f59d72958342d0224d9d3bc1658ab40352e41c341e85766b45295068d433fe2237f065774aa402cebb749c3498434831f303161f7a8ceaa2f5c9454f4099d3d

    • SSDEEP

      6144:+X2ED6j2XJ21RnZKA/CBph7ITsq7igavwVf:+X246iXcZK5h79

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks