General

  • Target

    JaffaCakes118_18dbdf8e5d41919296db9997b52a8292408d5c3d6d8194cc57909ee99338436b

  • Size

    146KB

  • Sample

    241229-gw3x2svma1

  • MD5

    23bdb6333269fdd7c286742e9964d04e

  • SHA1

    043b6cea048f3e2bb09c60e6b7a732f7c4522720

  • SHA256

    18dbdf8e5d41919296db9997b52a8292408d5c3d6d8194cc57909ee99338436b

  • SHA512

    b16321669cc825afd184394a9693d1c508b317a75af918e7dca507d290f5eb70d3b10fc76c9372463db1afd6b14655e0a5d7f8a2a7a13b943b80f50801fb14a3

  • SSDEEP

    3072:leRcOvgBZ3qPqLigLEoFMHxZnxqfPSAaz:lhOIB0zGEbqfXU

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      JaffaCakes118_18dbdf8e5d41919296db9997b52a8292408d5c3d6d8194cc57909ee99338436b

    • Size

      146KB

    • MD5

      23bdb6333269fdd7c286742e9964d04e

    • SHA1

      043b6cea048f3e2bb09c60e6b7a732f7c4522720

    • SHA256

      18dbdf8e5d41919296db9997b52a8292408d5c3d6d8194cc57909ee99338436b

    • SHA512

      b16321669cc825afd184394a9693d1c508b317a75af918e7dca507d290f5eb70d3b10fc76c9372463db1afd6b14655e0a5d7f8a2a7a13b943b80f50801fb14a3

    • SSDEEP

      3072:leRcOvgBZ3qPqLigLEoFMHxZnxqfPSAaz:lhOIB0zGEbqfXU

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks