General

  • Target

    JaffaCakes118_542c1a097f2a8a8b3dd27713ce3fc0873d64bb255f43265a577d0537adb0e95c

  • Size

    241KB

  • Sample

    241230-v23fcstlhz

  • MD5

    26f82c93b67c17fdc57eb442a9f75cc4

  • SHA1

    a3532ef0fc60cefd6923341449c927812190334a

  • SHA256

    542c1a097f2a8a8b3dd27713ce3fc0873d64bb255f43265a577d0537adb0e95c

  • SHA512

    2afc90bce64ca13059ae3861daca7319d216956aeecf935be596c09211c53f1f0b81b0bb5159282d6ac7f7805e762c7d584d8d01565cbd6cd2e76d6672710167

  • SSDEEP

    6144:Dvv4iHVncWHsZO694FdXKde7cIncP3Nw:Dvv4iHVrsZO6mdXF7cInE

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      JaffaCakes118_542c1a097f2a8a8b3dd27713ce3fc0873d64bb255f43265a577d0537adb0e95c

    • Size

      241KB

    • MD5

      26f82c93b67c17fdc57eb442a9f75cc4

    • SHA1

      a3532ef0fc60cefd6923341449c927812190334a

    • SHA256

      542c1a097f2a8a8b3dd27713ce3fc0873d64bb255f43265a577d0537adb0e95c

    • SHA512

      2afc90bce64ca13059ae3861daca7319d216956aeecf935be596c09211c53f1f0b81b0bb5159282d6ac7f7805e762c7d584d8d01565cbd6cd2e76d6672710167

    • SSDEEP

      6144:Dvv4iHVncWHsZO694FdXKde7cIncP3Nw:Dvv4iHVrsZO6mdXF7cInE

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks