General
-
Target
JaffaCakes118_ad5762b0012c42b5ec1e4bec9e18cf38
-
Size
12.2MB
-
Sample
250108-z8r1estpft
-
MD5
ad5762b0012c42b5ec1e4bec9e18cf38
-
SHA1
c893d010ac8fe223aefb4d7598510870490f0f20
-
SHA256
2672d159494e7cdfa545a996013835ac0795ae33a3cc8926e673d41d7ef60c1a
-
SHA512
9622b673fd3d9482cdd1355936fbc2f2260f83167d5812b3f1523e3323fe1300b4eef7e609eda0125545ddf6558753441f3cb5706e454f35464257adf88f5db1
-
SSDEEP
6144:d9fvApQ0bA3aGmYv+943cj9G+LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLr:d9fvApQ0bjGme84Mj9
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
JaffaCakes118_ad5762b0012c42b5ec1e4bec9e18cf38
-
Size
12.2MB
-
MD5
ad5762b0012c42b5ec1e4bec9e18cf38
-
SHA1
c893d010ac8fe223aefb4d7598510870490f0f20
-
SHA256
2672d159494e7cdfa545a996013835ac0795ae33a3cc8926e673d41d7ef60c1a
-
SHA512
9622b673fd3d9482cdd1355936fbc2f2260f83167d5812b3f1523e3323fe1300b4eef7e609eda0125545ddf6558753441f3cb5706e454f35464257adf88f5db1
-
SSDEEP
6144:d9fvApQ0bA3aGmYv+943cj9G+LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLr:d9fvApQ0bjGme84Mj9
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2