tofsee | 5baa53a33e5183490b5f4111bbc405a8a4203b1617c635c1b4bda0dd3955298b | Triage

Sharing

General

Target

JaffaCakes118_5baa53a33e5183490b5f4111bbc405a8a4203b1617c635c1b4bda0dd3955298b
Size

286KB
Sample

241223-xd6tzsxndq
MD5

bebcafb815c87b777af00c7aaa8f0063
SHA1

7438dbc9f820d017151411d0581bcd0a35a82b76
SHA256

5baa53a33e5183490b5f4111bbc405a8a4203b1617c635c1b4bda0dd3955298b
SHA512

346ce96d3da0da712e226ffce18a5fa8fda07993c3501528e696f2c0d41eaca556560547aecb7666ae5d0d4d4b5b686572c849e8503cffd3c98d4474f9911303
SSDEEP

3072:saxXGEcrxT19jb0xdlCBFL4r5u0ay/M8Z9OOHesIZQFr+uX3Prgm5ejH:seXud19jbSlCbkrL+OHesIq53T8

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  JaffaCakes118_5baa53a33e5183490b5f4111bbc405a8a4203b1617c635c1b4bda0dd3955298b
- Size
  
  286KB
- MD5
  
  bebcafb815c87b777af00c7aaa8f0063
- SHA1
  
  7438dbc9f820d017151411d0581bcd0a35a82b76
- SHA256
  
  5baa53a33e5183490b5f4111bbc405a8a4203b1617c635c1b4bda0dd3955298b
- SHA512
  
  346ce96d3da0da712e226ffce18a5fa8fda07993c3501528e696f2c0d41eaca556560547aecb7666ae5d0d4d4b5b686572c849e8503cffd3c98d4474f9911303
- SSDEEP
  
  3072:saxXGEcrxT19jb0xdlCBFL4r5u0ay/M8Z9OOHesIZQFr+uX3Prgm5ejH:seXud19jbSlCbkrL+OHesIq53T8
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan