General

  • Target

    JaffaCakes118_83d8280e972398709103e07acb5db531

  • Size

    11.1MB

  • Sample

    250105-caw56axlfw

  • MD5

    83d8280e972398709103e07acb5db531

  • SHA1

    6400f1663c65ca1a9e19b30219fda6d86d6f51ba

  • SHA256

    0f2a790e1a03008ffcd468faa2ea0e0003b18f3e45189d25e835ca6fe5eb4417

  • SHA512

    cf80f769c64f7520b5f55918b9911f83b6060399c386eabe866df648f58d0f335f42e5f2ff8c2a8272a40a99c54122cb26410648232d812bb89713526bf3f79d

  • SSDEEP

    98304:0Y3333333333333333333333333333333333333333333333333333333333333X:0

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      JaffaCakes118_83d8280e972398709103e07acb5db531

    • Size

      11.1MB

    • MD5

      83d8280e972398709103e07acb5db531

    • SHA1

      6400f1663c65ca1a9e19b30219fda6d86d6f51ba

    • SHA256

      0f2a790e1a03008ffcd468faa2ea0e0003b18f3e45189d25e835ca6fe5eb4417

    • SHA512

      cf80f769c64f7520b5f55918b9911f83b6060399c386eabe866df648f58d0f335f42e5f2ff8c2a8272a40a99c54122cb26410648232d812bb89713526bf3f79d

    • SSDEEP

      98304:0Y3333333333333333333333333333333333333333333333333333333333333X:0

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks