General

  • Target

    JaffaCakes118_94d8164b8e24f05fc9a654c110a8a126816f69554fda6ad4971a6a7a450059b1

  • Size

    160KB

  • Sample

    241224-s97zps1lev

  • MD5

    6ec4ce9ef727b0ce459f8b33a2558946

  • SHA1

    223323ff0bbd014582fe858475493e7786fa75a6

  • SHA256

    94d8164b8e24f05fc9a654c110a8a126816f69554fda6ad4971a6a7a450059b1

  • SHA512

    a4197009bc6dbeb5fc37dc38feca53d3f444a9a3de98fa9e6c5c640a6cab0454ce05b6d58ce4c666e8530f87c7efff22506528b4f9fa8c4120011374a394926a

  • SSDEEP

    3072:Y27J44gMgmR69KfphQ2j11L0Jbudv5aNlXdUMQ:YggmR6oBhQ2j1oqv5aTG

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_94d8164b8e24f05fc9a654c110a8a126816f69554fda6ad4971a6a7a450059b1

    • Size

      160KB

    • MD5

      6ec4ce9ef727b0ce459f8b33a2558946

    • SHA1

      223323ff0bbd014582fe858475493e7786fa75a6

    • SHA256

      94d8164b8e24f05fc9a654c110a8a126816f69554fda6ad4971a6a7a450059b1

    • SHA512

      a4197009bc6dbeb5fc37dc38feca53d3f444a9a3de98fa9e6c5c640a6cab0454ce05b6d58ce4c666e8530f87c7efff22506528b4f9fa8c4120011374a394926a

    • SSDEEP

      3072:Y27J44gMgmR69KfphQ2j11L0Jbudv5aNlXdUMQ:YggmR6oBhQ2j1oqv5aTG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks