tofsee | 86054a9f4dc9fc201137e9dabab67b47541cad795c5f9c307aebb95a74032385 | Triage

Sharing

General

Target

JaffaCakes118_86054a9f4dc9fc201137e9dabab67b47541cad795c5f9c307aebb95a74032385
Size

285KB
Sample

241229-n7zs4a1maw
MD5

020b25befc4912d8e055a74e89795964
SHA1

8b51f165c506a3c002345828a6fdf6458a20ad00
SHA256

86054a9f4dc9fc201137e9dabab67b47541cad795c5f9c307aebb95a74032385
SHA512

738ab2c84b1071de84983f896e26d6754cc052fec96580cc21af96fb2452d8f053a3d60cb4572f3208dee683031f58803c770e22901f467cee9b6b888bd3551d
SSDEEP

6144:qBL5PZaxPmyPhDh8vICUCe02DuMY0Et6Hdz:GxaxPZh1iICUCe02HFEwHdz

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_86054a9f4dc9fc201137e9dabab67b47541cad795c5f9c307aebb95a74032385
- Size
  
  285KB
- MD5
  
  020b25befc4912d8e055a74e89795964
- SHA1
  
  8b51f165c506a3c002345828a6fdf6458a20ad00
- SHA256
  
  86054a9f4dc9fc201137e9dabab67b47541cad795c5f9c307aebb95a74032385
- SHA512
  
  738ab2c84b1071de84983f896e26d6754cc052fec96580cc21af96fb2452d8f053a3d60cb4572f3208dee683031f58803c770e22901f467cee9b6b888bd3551d
- SSDEEP
  
  6144:qBL5PZaxPmyPhDh8vICUCe02DuMY0Et6Hdz:GxaxPZh1iICUCe02HFEwHdz
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan