tofsee | 73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86 | Triage

Sharing

General

Target

JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86
Size

287KB
Sample

241229-ratglatjaz
MD5

508ea1cca364e2f73832dd3ef1160a84
SHA1

daab9d02720b6609f64628388611d09e02433633
SHA256

73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86
SHA512

39bec63482d99132d5ac18b5fdd8e22e01f5dc02b9ee458d37b2d271494356d23f6f7abe17ac020b45657fea476b52973a847005ec6ca4f1a576d2498fdc634f
SSDEEP

6144:uuj9qXmzAuZ8PT6HMgTp915tMvuDH4PKa7tqY:3EXrE8PT6HMgTp96vaY77o

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86
- Size
  
  287KB
- MD5
  
  508ea1cca364e2f73832dd3ef1160a84
- SHA1
  
  daab9d02720b6609f64628388611d09e02433633
- SHA256
  
  73ce70fc473c2e6bad991731f810ba9d3ef400fd3788b4e45339068f69807b86
- SHA512
  
  39bec63482d99132d5ac18b5fdd8e22e01f5dc02b9ee458d37b2d271494356d23f6f7abe17ac020b45657fea476b52973a847005ec6ca4f1a576d2498fdc634f
- SSDEEP
  
  6144:uuj9qXmzAuZ8PT6HMgTp915tMvuDH4PKa7tqY:3EXrE8PT6HMgTp96vaY77o
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan