Overview

overview

10

Static

static

3

5d3df0a18d...c8.exe

windows7-x64

10

5d3df0a18d...c8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_1b67228067476adba101405a8a977dc25acb4080c0e2f49674aa412185fc5804

  • Size

    245KB

  • Sample

    241223-yn2hpazjfw

  • MD5

    8a4849e5be425f9c2cdf4dd69e428ddb

  • SHA1

    886b2751d70f7e365a8915b24fedac89d21f3202

  • SHA256

    1b67228067476adba101405a8a977dc25acb4080c0e2f49674aa412185fc5804

  • SHA512

    2ccbffeb0aa1e4de832edc960d01848ae7aa432c793954e176a59a624930c31a43610503047944f6e56d6690a256f7ebbf247a4de197fbfdf7a35476c27816a1

  • SSDEEP

    3072:8mpWOkQd18axeTE0FJQgz2TiJ5UmHkR0+XaHSwUKFiVvvWaK2MADaR4cLomEr/qR:8m3ffaHki/RHkuiVFK2M8aR/RESNiHe9

Score
10/10
tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      5d3df0a18dce44d82712f8304784c53dcd880ddece5cc4bbf19720150ae4ffc8

    • Size

      13.5MB

    • MD5

      4561b81f98ef3192665759b2266f746a

    • SHA1

      5e7efc91102e748bbeb903ae2f64aa212540a1a8

    • SHA256

      5d3df0a18dce44d82712f8304784c53dcd880ddece5cc4bbf19720150ae4ffc8

    • SHA512

      40bf6776e363f270922d71d67eda0297615fa8765dee88602fceeebda827abb28f923e31a4f0dec4d771af2fe1be3509179ab635ef64b0168cbb00d40f7dd120

    • SSDEEP

      49152:zakyihKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKhKl:zaky

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks