General

  • Target

    JaffaCakes118_9d324da8874bf18aae363a521f47adb886165ed9a6fb99ca0ff8f112bb78a1e3

  • Size

    286KB

  • Sample

    241224-avwzsawqhl

  • MD5

    c8db952495476598e4a9e817faa66bd3

  • SHA1

    bf87819d97967eb84812028e724acccbecc308c6

  • SHA256

    9d324da8874bf18aae363a521f47adb886165ed9a6fb99ca0ff8f112bb78a1e3

  • SHA512

    1ba0653a1489761d66042f8732532d028a51dd50734d2188eeb54157cde4498e4ac5322067e75b768176f060f04cc65c4178c3bb06447192133e9be54510f427

  • SSDEEP

    6144:yK8kEQgA+ApiK1eO0CICsClp+TV6T0YeMx:WQbH3/ICsClp+wQY

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_9d324da8874bf18aae363a521f47adb886165ed9a6fb99ca0ff8f112bb78a1e3

    • Size

      286KB

    • MD5

      c8db952495476598e4a9e817faa66bd3

    • SHA1

      bf87819d97967eb84812028e724acccbecc308c6

    • SHA256

      9d324da8874bf18aae363a521f47adb886165ed9a6fb99ca0ff8f112bb78a1e3

    • SHA512

      1ba0653a1489761d66042f8732532d028a51dd50734d2188eeb54157cde4498e4ac5322067e75b768176f060f04cc65c4178c3bb06447192133e9be54510f427

    • SSDEEP

      6144:yK8kEQgA+ApiK1eO0CICsClp+TV6T0YeMx:WQbH3/ICsClp+wQY

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.