General

  • Target

    JaffaCakes118_553ce75a13c88ab7422641d393c472170ff4368e79eaa1715ab7611bc3ef508d

  • Size

    158KB

  • Sample

    241224-xdnneatnhx

  • MD5

    7cedde86e6bd1a06c443cada40905aa9

  • SHA1

    4577f0b655f3ba1c19ccba4192e6e5fce180fc30

  • SHA256

    553ce75a13c88ab7422641d393c472170ff4368e79eaa1715ab7611bc3ef508d

  • SHA512

    94a3fe5ec3d1c452a29533751ce02f627262e57cb8e847f2ee8737884812d546c2c479bd4d5b6cf025135eb4a610f9a7642272e34ccc5151038087871b9b7693

  • SSDEEP

    3072:n6hHIc3hRprDrShR1Wrb0ykBIm9w0e7hwiXJlx+It4RQcS3Xdif940noDcG:6thR1iR1WrbEe7yiXVxt4RQFHEfJ2

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2

    • Size

      260KB

    • MD5

      ef7e4a69cb1f773ee7b5ac597f06418a

    • SHA1

      7c09ac3d21a7e7866f8a74c6e39f496a75e005ee

    • SHA256

      02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2

    • SHA512

      bec3b85d3bfa56ab5b1427d870f81bbca45a3bb301c524eca29960185832a3664d449e8d4d320926139d3ec97f425b13e6fbd3b62adcf09987ad82c40f80a7a7

    • SSDEEP

      3072:LuJFB8IkKLXHxuvz5q3jzQctU7cw0e7hwiXJl8T4DKFbJOxjw0L9l5M/h3:+FBFTLXx9zQctze7yiX4kMOxjw0xT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks