General
-
Target
JaffaCakes118_b40f20aabb552499cf84c49b51d331125f2ac81fea0388c928ab47a1ab206a00
-
Size
188KB
-
Sample
241223-ra56ds1pcy
-
MD5
b902bbf8979f1a374cf1bac4e0be9767
-
SHA1
01f9cdfc71e798acdab741c4b702abdbc4561348
-
SHA256
b40f20aabb552499cf84c49b51d331125f2ac81fea0388c928ab47a1ab206a00
-
SHA512
0edd6331d158f267ae081e075b3256c600655c9b0afd6c669baa1a8b72a5b51fc54567ca4911c6fb60c715588717590fe8d6c0a0e311e15b4bdf1184c3f68784
-
SSDEEP
3072:x17s49QB1NQWpUsMYvHaa9wLMZHHtpZa9uD6Vdyhkf:x59QB1NQWp1bH2MBtwVf
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
JaffaCakes118_b40f20aabb552499cf84c49b51d331125f2ac81fea0388c928ab47a1ab206a00
-
Size
188KB
-
MD5
b902bbf8979f1a374cf1bac4e0be9767
-
SHA1
01f9cdfc71e798acdab741c4b702abdbc4561348
-
SHA256
b40f20aabb552499cf84c49b51d331125f2ac81fea0388c928ab47a1ab206a00
-
SHA512
0edd6331d158f267ae081e075b3256c600655c9b0afd6c669baa1a8b72a5b51fc54567ca4911c6fb60c715588717590fe8d6c0a0e311e15b4bdf1184c3f68784
-
SSDEEP
3072:x17s49QB1NQWpUsMYvHaa9wLMZHHtpZa9uD6Vdyhkf:x59QB1NQWp1bH2MBtwVf
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2