General

  • Target

    JaffaCakes118_d0a7e9269475d79293aa5a2c07f47ae586d636ba791943b0fc7d0a8a57e8895e

  • Size

    262KB

  • Sample

    241224-z4vwhsxnes

  • MD5

    741c885dfd2fc7e1f7414e1dc86bc4f6

  • SHA1

    ec2c42d54aea062cc145b5830d6544f24c4f941d

  • SHA256

    d0a7e9269475d79293aa5a2c07f47ae586d636ba791943b0fc7d0a8a57e8895e

  • SHA512

    46949d434dbb5867c79a5cfd89d358d6a633f30c7a0cbce286711b2092784165771589b05e31cb0b9ece65dca86470692eeb0699e7381678b48984098640413e

  • SSDEEP

    6144:hvkKxGgD4AD+s72hPJg6C8Z+LPqhSE6t1OCGwUXB4RZucX:hMAfD4ADv72hOeZ+LP06nYRK

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      JaffaCakes118_d0a7e9269475d79293aa5a2c07f47ae586d636ba791943b0fc7d0a8a57e8895e

    • Size

      262KB

    • MD5

      741c885dfd2fc7e1f7414e1dc86bc4f6

    • SHA1

      ec2c42d54aea062cc145b5830d6544f24c4f941d

    • SHA256

      d0a7e9269475d79293aa5a2c07f47ae586d636ba791943b0fc7d0a8a57e8895e

    • SHA512

      46949d434dbb5867c79a5cfd89d358d6a633f30c7a0cbce286711b2092784165771589b05e31cb0b9ece65dca86470692eeb0699e7381678b48984098640413e

    • SSDEEP

      6144:hvkKxGgD4AD+s72hPJg6C8Z+LPqhSE6t1OCGwUXB4RZucX:hMAfD4ADv72hOeZ+LP06nYRK

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.