tofsee | c36d92eb67d8771a4fa4f2c7bd8c1b12d0ea8645fab45b3321000a9941e7304a | Triage

Sharing

General

Target

JaffaCakes118_c36d92eb67d8771a4fa4f2c7bd8c1b12d0ea8645fab45b3321000a9941e7304a
Size

164KB
Sample

241227-cn7h2syrg1
MD5

d734569001b69222d805738edfc47168
SHA1

f4879b2f7c66698f0debcc545836e8a6d63a7cec
SHA256

c36d92eb67d8771a4fa4f2c7bd8c1b12d0ea8645fab45b3321000a9941e7304a
SHA512

a78389a5b03ebed89ac85f2be37bcbcbfd03c02e5fe89e504ad4f9162162a1ad3080a8ff93ad1b94dafae525d18498c17cb2b7842ec533ae0676f4a16b2c0977
SSDEEP

3072:mQOLRBnPGJFSBbG8PnQoa8kZwc46B4OqXXs4zyAPKYCUkO2:lOdBnPGSR/Qoa8pq8s4zysdCUkB

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_c36d92eb67d8771a4fa4f2c7bd8c1b12d0ea8645fab45b3321000a9941e7304a
- Size
  
  164KB
- MD5
  
  d734569001b69222d805738edfc47168
- SHA1
  
  f4879b2f7c66698f0debcc545836e8a6d63a7cec
- SHA256
  
  c36d92eb67d8771a4fa4f2c7bd8c1b12d0ea8645fab45b3321000a9941e7304a
- SHA512
  
  a78389a5b03ebed89ac85f2be37bcbcbfd03c02e5fe89e504ad4f9162162a1ad3080a8ff93ad1b94dafae525d18498c17cb2b7842ec533ae0676f4a16b2c0977
- SSDEEP
  
  3072:mQOLRBnPGJFSBbG8PnQoa8kZwc46B4OqXXs4zyAPKYCUkO2:lOdBnPGSR/Qoa8pq8s4zysdCUkB
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan