tofsee | c077d664f953607162a99c61e05cd65110f848cbfcc4140ab6d0429fca29f0dc | Triage

Sharing

General

Target

JaffaCakes118_c077d664f953607162a99c61e05cd65110f848cbfcc4140ab6d0429fca29f0dc
Size

157KB
Sample

241229-js1pmaxjbs
MD5

3bb0a31288d781001d33aeedf06dd8dc
SHA1

981e01149abcd4418142f41758787cf91c97e9c5
SHA256

c077d664f953607162a99c61e05cd65110f848cbfcc4140ab6d0429fca29f0dc
SHA512

c0e8728c316b22fb7ac1e3fde375217240c9ac6f572c8af843f068cde53193534070a62484cbb504ece5e0f09a7d06256e2c940cf36a649741716b001d796c3d
SSDEEP

1536:o7iZ6fjIz/BBE9T6WKPeazpJn1ro7PAak0Am4xz3eyfAQpCJyGUx8z6CDzMAOjM0:+EtUJfg0sz3Jt0JVNxDOI5R4T9

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_c077d664f953607162a99c61e05cd65110f848cbfcc4140ab6d0429fca29f0dc
- Size
  
  157KB
- MD5
  
  3bb0a31288d781001d33aeedf06dd8dc
- SHA1
  
  981e01149abcd4418142f41758787cf91c97e9c5
- SHA256
  
  c077d664f953607162a99c61e05cd65110f848cbfcc4140ab6d0429fca29f0dc
- SHA512
  
  c0e8728c316b22fb7ac1e3fde375217240c9ac6f572c8af843f068cde53193534070a62484cbb504ece5e0f09a7d06256e2c940cf36a649741716b001d796c3d
- SSDEEP
  
  1536:o7iZ6fjIz/BBE9T6WKPeazpJn1ro7PAak0Am4xz3eyfAQpCJyGUx8z6CDzMAOjM0:+EtUJfg0sz3Jt0JVNxDOI5R4T9
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan