tofsee | 0164a89f5ce7d86f2fe0503d3c4c39f912ea372b5197b65c0a0b8f8e3dbadd31 | Triage

Sharing

General

Target

JaffaCakes118_0164a89f5ce7d86f2fe0503d3c4c39f912ea372b5197b65c0a0b8f8e3dbadd31
Size

234KB
Sample

241223-xgf3qsxpbk
MD5

ad35ddf418ee1bd6e9c1712b7bab8be5
SHA1

a8a1043d95899c7fb963a34c714ec5e36dfe0dd1
SHA256

0164a89f5ce7d86f2fe0503d3c4c39f912ea372b5197b65c0a0b8f8e3dbadd31
SHA512

c1abe07ca92939fc1cb3269da861894a032c44501b70412831e58d4ce6993618e4d85430ba18b69e280b3dd85e04d8783c24a70207d9ae9e373704ee8ce3c70d
SSDEEP

6144:bBJefRbR6k2TL93Ca+yEfGv9HJyn+Hv4X:bBJeZbRs93Ca+lGv9H1gX

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  JaffaCakes118_0164a89f5ce7d86f2fe0503d3c4c39f912ea372b5197b65c0a0b8f8e3dbadd31
- Size
  
  234KB
- MD5
  
  ad35ddf418ee1bd6e9c1712b7bab8be5
- SHA1
  
  a8a1043d95899c7fb963a34c714ec5e36dfe0dd1
- SHA256
  
  0164a89f5ce7d86f2fe0503d3c4c39f912ea372b5197b65c0a0b8f8e3dbadd31
- SHA512
  
  c1abe07ca92939fc1cb3269da861894a032c44501b70412831e58d4ce6993618e4d85430ba18b69e280b3dd85e04d8783c24a70207d9ae9e373704ee8ce3c70d
- SSDEEP
  
  6144:bBJefRbR6k2TL93Ca+yEfGv9HJyn+Hv4X:bBJeZbRs93Ca+lGv9H1gX
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan