General

  • Target

    JaffaCakes118_734eeb6ca8d2f16d680071810ea459f3babc4e510d8fca3667e93574790566de

  • Size

    237KB

  • Sample

    241227-a4jqtawrhq

  • MD5

    3f9580e7c89cc2d22f588f66933a2b55

  • SHA1

    be3c020e42343867e8e1068033ffa86e65639b53

  • SHA256

    734eeb6ca8d2f16d680071810ea459f3babc4e510d8fca3667e93574790566de

  • SHA512

    c60adc3c1c2667ad40a3e4ad7ee2101151621935081f82a37f6cb8631636c5432fe307d8cabf6e12be6ee7a019e8ed1745b18fb692f5b479c2103000e40a69f1

  • SSDEEP

    6144:+jRN5kfRaTc+ww37vkSjX7ITsq7igavwVf:+dN5kfew+X79

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_734eeb6ca8d2f16d680071810ea459f3babc4e510d8fca3667e93574790566de

    • Size

      237KB

    • MD5

      3f9580e7c89cc2d22f588f66933a2b55

    • SHA1

      be3c020e42343867e8e1068033ffa86e65639b53

    • SHA256

      734eeb6ca8d2f16d680071810ea459f3babc4e510d8fca3667e93574790566de

    • SHA512

      c60adc3c1c2667ad40a3e4ad7ee2101151621935081f82a37f6cb8631636c5432fe307d8cabf6e12be6ee7a019e8ed1745b18fb692f5b479c2103000e40a69f1

    • SSDEEP

      6144:+jRN5kfRaTc+ww37vkSjX7ITsq7igavwVf:+dN5kfew+X79

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks