General
-
Target
JaffaCakes118_59824f33b2473ed4cbd2f876dd08298598a2ae682ce600a524212b2a9397e52d
-
Size
327KB
-
Sample
241230-xskv3atqgm
-
MD5
6f1d253c3614753b87aab018fa163871
-
SHA1
903ffbf67398e8ded5dae30767f65bf6958126de
-
SHA256
59824f33b2473ed4cbd2f876dd08298598a2ae682ce600a524212b2a9397e52d
-
SHA512
a46e9e740799991c44d7d707c2770b4b7df756d8833a8a37fc83d6855383cec3e337cd485eee147f7c70ca88f0667f0f81a20cccb593f3e237d7805d2c682188
-
SSDEEP
6144:taBO3imrOouSABnevchIagXe6l2uAzBlHMSWZFq:YG1OouSQqcqaoe6l+BtlW
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
JaffaCakes118_59824f33b2473ed4cbd2f876dd08298598a2ae682ce600a524212b2a9397e52d
-
Size
327KB
-
MD5
6f1d253c3614753b87aab018fa163871
-
SHA1
903ffbf67398e8ded5dae30767f65bf6958126de
-
SHA256
59824f33b2473ed4cbd2f876dd08298598a2ae682ce600a524212b2a9397e52d
-
SHA512
a46e9e740799991c44d7d707c2770b4b7df756d8833a8a37fc83d6855383cec3e337cd485eee147f7c70ca88f0667f0f81a20cccb593f3e237d7805d2c682188
-
SSDEEP
6144:taBO3imrOouSABnevchIagXe6l2uAzBlHMSWZFq:YG1OouSQqcqaoe6l+BtlW
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2