General
-
Target
JaffaCakes118_6306de9ef95eb74853a69952775fc37b
-
Size
12.4MB
-
Sample
250102-ghchyawndz
-
MD5
6306de9ef95eb74853a69952775fc37b
-
SHA1
46479c841dab0934923c48dfb59059e056892ebe
-
SHA256
2482d2eeaa9f6877ec7505bd6cd92d1cd6b2014947f5aed110ef0859b5ca9f6d
-
SHA512
b55aa1cc984c4512d2e9cbb5eb211de454e3f5836092cb492647221fb873bd2f9387906047fcb3643b457f483799f20c7fe64aff1f4d6b6feb1d3e9956c16c81
-
SSDEEP
6144:+NvMXNc7x72uNJFeTgkYIvpjkHp2e7z+/uyAmMGwDkqyyyyyyyyyyyyyyyyyyyy+:+NvM9i7fNJFeTgk9BjkHp2Euu1mr
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
JaffaCakes118_6306de9ef95eb74853a69952775fc37b
-
Size
12.4MB
-
MD5
6306de9ef95eb74853a69952775fc37b
-
SHA1
46479c841dab0934923c48dfb59059e056892ebe
-
SHA256
2482d2eeaa9f6877ec7505bd6cd92d1cd6b2014947f5aed110ef0859b5ca9f6d
-
SHA512
b55aa1cc984c4512d2e9cbb5eb211de454e3f5836092cb492647221fb873bd2f9387906047fcb3643b457f483799f20c7fe64aff1f4d6b6feb1d3e9956c16c81
-
SSDEEP
6144:+NvMXNc7x72uNJFeTgkYIvpjkHp2e7z+/uyAmMGwDkqyyyyyyyyyyyyyyyyyyyy+:+NvM9i7fNJFeTgk9BjkHp2Euu1mr
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2