General
-
Target
JaffaCakes118_34c46c275c84f9c8aa05c3399a1ee9bc
-
Size
14.5MB
-
Sample
241231-y6n1baxnfx
-
MD5
34c46c275c84f9c8aa05c3399a1ee9bc
-
SHA1
995251cca3838fb9a19ec7bdc2826e6b05dfa503
-
SHA256
3a0c699dfd2818026b2685be853b6e4470501d8ea9c7126af16c6f3c62e8ccd7
-
SHA512
a308a2dd4975dc2c41e8c8cb12af1a539b43997c150ebfb6fa0ef2e658127380c44c86b9e09878948730ecc4546f10957286de67251e45a876e003924d87ed3f
-
SSDEEP
3072:p0dYxvqagQYPbb1gFlSLMU+++++++++++++++++++++++++++++++++++++++++m:+dYrYP1gjSI
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
JaffaCakes118_34c46c275c84f9c8aa05c3399a1ee9bc
-
Size
14.5MB
-
MD5
34c46c275c84f9c8aa05c3399a1ee9bc
-
SHA1
995251cca3838fb9a19ec7bdc2826e6b05dfa503
-
SHA256
3a0c699dfd2818026b2685be853b6e4470501d8ea9c7126af16c6f3c62e8ccd7
-
SHA512
a308a2dd4975dc2c41e8c8cb12af1a539b43997c150ebfb6fa0ef2e658127380c44c86b9e09878948730ecc4546f10957286de67251e45a876e003924d87ed3f
-
SSDEEP
3072:p0dYxvqagQYPbb1gFlSLMU+++++++++++++++++++++++++++++++++++++++++m:+dYrYP1gjSI
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2