General

  • Target

    JaffaCakes118_2fff64b9bc7f064fa98dbda28fb086fa

  • Size

    11.6MB

  • Sample

    250106-vrb6esslay

  • MD5

    2fff64b9bc7f064fa98dbda28fb086fa

  • SHA1

    cf3ef1a589146863fe35c5dccc574f04fa15c78b

  • SHA256

    16d197436183fae5ae1855fecb98699c6b82fe6ef73670db6a3fb2452214e0db

  • SHA512

    8ddd1e0a46ad922459b662b270f0757cfb643a868700df335fe622aefda48b32c428906038d42d1d775473ea2e9eb8e7524575041838b776c36e53be1039a301

  • SSDEEP

    49152:Zgvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      JaffaCakes118_2fff64b9bc7f064fa98dbda28fb086fa

    • Size

      11.6MB

    • MD5

      2fff64b9bc7f064fa98dbda28fb086fa

    • SHA1

      cf3ef1a589146863fe35c5dccc574f04fa15c78b

    • SHA256

      16d197436183fae5ae1855fecb98699c6b82fe6ef73670db6a3fb2452214e0db

    • SHA512

      8ddd1e0a46ad922459b662b270f0757cfb643a868700df335fe622aefda48b32c428906038d42d1d775473ea2e9eb8e7524575041838b776c36e53be1039a301

    • SSDEEP

      49152:Zgvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks