tofsee | a95db7a0471f2717606aab2a74d677670a01d3ec9f1dd642b278151d19bd1d82 | Triage

Sharing

General

Target

JaffaCakes118_a95db7a0471f2717606aab2a74d677670a01d3ec9f1dd642b278151d19bd1d82
Size

209KB
Sample

241225-env65axlhv
MD5

0d7956955bc6e9a59379be3e1c32b521
SHA1

3c30a13b7338b20537743d2c4f26a3f848895afa
SHA256

a95db7a0471f2717606aab2a74d677670a01d3ec9f1dd642b278151d19bd1d82
SHA512

3e44ec1980dab1e2480e95e1af37a9e865140ce400445e90babdd884885a25f51c9732241fbf4396d84a1c9c253a94947fa38468ad1684e47ae6c511de496c28
SSDEEP

3072:l7o+8bY15UT/8c4UhnRc6OAK4MdHU0qiRHJWrxpzbgqru2sxkgaBChH:CDE15UTk+cKK4MOUJuzbgwujiga

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_a95db7a0471f2717606aab2a74d677670a01d3ec9f1dd642b278151d19bd1d82
- Size
  
  209KB
- MD5
  
  0d7956955bc6e9a59379be3e1c32b521
- SHA1
  
  3c30a13b7338b20537743d2c4f26a3f848895afa
- SHA256
  
  a95db7a0471f2717606aab2a74d677670a01d3ec9f1dd642b278151d19bd1d82
- SHA512
  
  3e44ec1980dab1e2480e95e1af37a9e865140ce400445e90babdd884885a25f51c9732241fbf4396d84a1c9c253a94947fa38468ad1684e47ae6c511de496c28
- SSDEEP
  
  3072:l7o+8bY15UT/8c4UhnRc6OAK4MdHU0qiRHJWrxpzbgqru2sxkgaBChH:CDE15UTk+cKK4MOUJuzbgwujiga
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan