tofsee | de17973ae83b8d093085f6288d74a8dcbccac465f0201030ea223b1b38cb29ff | Triage

Sharing

General

Target

JaffaCakes118_de17973ae83b8d093085f6288d74a8dcbccac465f0201030ea223b1b38cb29ff
Size

304KB
Sample

241229-17zvbaylcx
MD5

22a413c15a4a559e00bb46a7ea9c8328
SHA1

75e0330c2ddced4d2f752709e2f2733f2557f922
SHA256

de17973ae83b8d093085f6288d74a8dcbccac465f0201030ea223b1b38cb29ff
SHA512

fca580091b1b058c3602a92d4645d206a323300e10664ec7085ef4270c269d88d5442770cafa6886aedc8ee6472959f3f27090e5ac6d8a0759bc1d9e5de3c7bf
SSDEEP

6144:VTjfugLvStP73OTkf87CjHIWRLIIL6MCOhxxFeTr/ekI:VrrStakfKGHP/L6+zxF6L

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  JaffaCakes118_de17973ae83b8d093085f6288d74a8dcbccac465f0201030ea223b1b38cb29ff
- Size
  
  304KB
- MD5
  
  22a413c15a4a559e00bb46a7ea9c8328
- SHA1
  
  75e0330c2ddced4d2f752709e2f2733f2557f922
- SHA256
  
  de17973ae83b8d093085f6288d74a8dcbccac465f0201030ea223b1b38cb29ff
- SHA512
  
  fca580091b1b058c3602a92d4645d206a323300e10664ec7085ef4270c269d88d5442770cafa6886aedc8ee6472959f3f27090e5ac6d8a0759bc1d9e5de3c7bf
- SSDEEP
  
  6144:VTjfugLvStP73OTkf87CjHIWRLIIL6MCOhxxFeTr/ekI:VrrStakfKGHP/L6+zxF6L
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan