tofsee | 66a6da04154d8f34b280188ff2e675b9137622f9046912a1761e1561b7321bac | Triage

Sharing

General

Target

JaffaCakes118_66a6da04154d8f34b280188ff2e675b9137622f9046912a1761e1561b7321bac
Size

238KB
Sample

241225-hhjgxszrgl
MD5

8271ce4f3cbd9b09bf15c5a68e88b0da
SHA1

8a67d568576e34c1c6e94b61f659f450df2ef96d
SHA256

66a6da04154d8f34b280188ff2e675b9137622f9046912a1761e1561b7321bac
SHA512

27c67f1762515a99e1260866235aee0904685144af6f09bb5c384a0caca2e95438310b690f12e32b8d46d349d9027d2d76a589bcfdaed3c75e69ce05dd2a0bd4
SSDEEP

3072:a7V2YJR9xNKX/hxlknRrKpyCaU0m+J2x5UrqGjcxSVggjcGkNIVqI7sxkgaBChMg:bYr9xNKXSnQMmJWr0K7ITsq7igavwVf

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_66a6da04154d8f34b280188ff2e675b9137622f9046912a1761e1561b7321bac
- Size
  
  238KB
- MD5
  
  8271ce4f3cbd9b09bf15c5a68e88b0da
- SHA1
  
  8a67d568576e34c1c6e94b61f659f450df2ef96d
- SHA256
  
  66a6da04154d8f34b280188ff2e675b9137622f9046912a1761e1561b7321bac
- SHA512
  
  27c67f1762515a99e1260866235aee0904685144af6f09bb5c384a0caca2e95438310b690f12e32b8d46d349d9027d2d76a589bcfdaed3c75e69ce05dd2a0bd4
- SSDEEP
  
  3072:a7V2YJR9xNKX/hxlknRrKpyCaU0m+J2x5UrqGjcxSVggjcGkNIVqI7sxkgaBChMg:bYr9xNKXSnQMmJWr0K7ITsq7igavwVf
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan