tofsee | d66f7617e71ecb9018ac3b943fec478f558413433d3219031af14dcaa590ea76 | Triage

Sharing

General

Target

JaffaCakes118_17d263eaaf2f1373b41cb0c3ff9aa26f
Size

12.9MB
Sample

241231-nhxbnsxrcw
MD5

17d263eaaf2f1373b41cb0c3ff9aa26f
SHA1

11711ac0749600ae84192fc38141b205b7388399
SHA256

d66f7617e71ecb9018ac3b943fec478f558413433d3219031af14dcaa590ea76
SHA512

8f0b335a3172dc0e1d9eef54ef3f7c968d8dc9d2fba5d4931e47fd43346ff29a9b457cc40d161e1c5100d691817c0f6e8400a75fdbf62a90c00ebf439f219df3
SSDEEP

49152:8P1IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIf:

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  JaffaCakes118_17d263eaaf2f1373b41cb0c3ff9aa26f
- Size
  
  12.9MB
- MD5
  
  17d263eaaf2f1373b41cb0c3ff9aa26f
- SHA1
  
  11711ac0749600ae84192fc38141b205b7388399
- SHA256
  
  d66f7617e71ecb9018ac3b943fec478f558413433d3219031af14dcaa590ea76
- SHA512
  
  8f0b335a3172dc0e1d9eef54ef3f7c968d8dc9d2fba5d4931e47fd43346ff29a9b457cc40d161e1c5100d691817c0f6e8400a75fdbf62a90c00ebf439f219df3
- SSDEEP
  
  49152:8P1IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIf:
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan