General

  • Target

    JaffaCakes118_7add49d3f94626db3bfd88652c55403b

  • Size

    10.3MB

  • Sample

    250104-vtaels1kfr

  • MD5

    7add49d3f94626db3bfd88652c55403b

  • SHA1

    c99c8680050272cade3963627fa87e697b4ee564

  • SHA256

    d15dc4c9f5cc18798572b527797678adedd953ae755a9efadbeaf76353cc199f

  • SHA512

    19edd3367327213abc11f3d696b46cdd4184a74e6653e43b0283aebcd0de135f43e92b69a1906328c318a5e7a3c06806665a015cbe70e5ee9e13e91e7654ca4f

  • SSDEEP

    196608:9I+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++G:9

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      JaffaCakes118_7add49d3f94626db3bfd88652c55403b

    • Size

      10.3MB

    • MD5

      7add49d3f94626db3bfd88652c55403b

    • SHA1

      c99c8680050272cade3963627fa87e697b4ee564

    • SHA256

      d15dc4c9f5cc18798572b527797678adedd953ae755a9efadbeaf76353cc199f

    • SHA512

      19edd3367327213abc11f3d696b46cdd4184a74e6653e43b0283aebcd0de135f43e92b69a1906328c318a5e7a3c06806665a015cbe70e5ee9e13e91e7654ca4f

    • SSDEEP

      196608:9I+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++G:9

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks