tofsee | 198cac834f2035248a9e788928666e62789cc92e396c8fe57efb539adce8db12 | Triage

Sharing

General

Target

JaffaCakes118_198cac834f2035248a9e788928666e62789cc92e396c8fe57efb539adce8db12
Size

285KB
Sample

241226-terjxazkdw
MD5

7054f61d1e5508cd336cc4651f736acf
SHA1

3e21556cb84c067fe7c79abe3ef4bbd9fea335d0
SHA256

198cac834f2035248a9e788928666e62789cc92e396c8fe57efb539adce8db12
SHA512

42eeefacf1854770ddc4f76292c233009e15cc0d42d984e4f1bc7fe763a790b8b2483a8c6fbefdfab49d957c453bf55d2ddf080533b8a01cb68ba8050545a1c1
SSDEEP

6144:2KFbjVUyrQk3RMPrCpcaJlkHuzbgwu6L7ITsqSigaTwVf:xbjKQB3SMaHunnn7s

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_198cac834f2035248a9e788928666e62789cc92e396c8fe57efb539adce8db12
- Size
  
  285KB
- MD5
  
  7054f61d1e5508cd336cc4651f736acf
- SHA1
  
  3e21556cb84c067fe7c79abe3ef4bbd9fea335d0
- SHA256
  
  198cac834f2035248a9e788928666e62789cc92e396c8fe57efb539adce8db12
- SHA512
  
  42eeefacf1854770ddc4f76292c233009e15cc0d42d984e4f1bc7fe763a790b8b2483a8c6fbefdfab49d957c453bf55d2ddf080533b8a01cb68ba8050545a1c1
- SSDEEP
  
  6144:2KFbjVUyrQk3RMPrCpcaJlkHuzbgwu6L7ITsqSigaTwVf:xbjKQB3SMaHunnn7s
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan