tofsee | a76073552688bcc6ca3de18c2e7e2394bfb2b3808f8a7d66f51e331373d332f3 | Triage

Sharing

General

Target

JaffaCakes118_a76073552688bcc6ca3de18c2e7e2394bfb2b3808f8a7d66f51e331373d332f3
Size

238KB
Sample

241224-1jl9bayjhr
MD5

1854bf09896c03053dbc0a9bb214d346
SHA1

7b5744d026e9a5f7965f1ebf3625070c638ea2ef
SHA256

a76073552688bcc6ca3de18c2e7e2394bfb2b3808f8a7d66f51e331373d332f3
SHA512

d261cd4150e913e7944df01592b255b021a51ecd2f6054f1db326acdd31b4b85989ae09221509e03977320d44e8f94dd2e05f9c3af48bbc009d93f9e6cde4cc4
SSDEEP

6144:pNeWb3UACOZBOzSc1OItX7ITsq7igavwVf:pN9b37tZBkvnX79

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_a76073552688bcc6ca3de18c2e7e2394bfb2b3808f8a7d66f51e331373d332f3
- Size
  
  238KB
- MD5
  
  1854bf09896c03053dbc0a9bb214d346
- SHA1
  
  7b5744d026e9a5f7965f1ebf3625070c638ea2ef
- SHA256
  
  a76073552688bcc6ca3de18c2e7e2394bfb2b3808f8a7d66f51e331373d332f3
- SHA512
  
  d261cd4150e913e7944df01592b255b021a51ecd2f6054f1db326acdd31b4b85989ae09221509e03977320d44e8f94dd2e05f9c3af48bbc009d93f9e6cde4cc4
- SSDEEP
  
  6144:pNeWb3UACOZBOzSc1OItX7ITsq7igavwVf:pN9b37tZBkvnX79
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan