General
-
Target
JaffaCakes118_c6cdc26d4da1406f0901958066c6a85f
-
Size
12.5MB
-
Sample
250109-nd4vysykbv
-
MD5
c6cdc26d4da1406f0901958066c6a85f
-
SHA1
5bcf2516112953906f9312b2c3cfb34845c00049
-
SHA256
e484c2397a151ed82e2874060f335ffc33c6d442d4358158cfe385f75abc378f
-
SHA512
4e9a67c17d2ec2848be598ab0a3bbe65c8a6c40fd25af41fe1dd649612227e0cb05b2e839b5c1e4062b16f757a1bc95f800ee50b382aea4791efe3c855ff7ead
-
SSDEEP
49152:ZvUWkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkE:Z
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
JaffaCakes118_c6cdc26d4da1406f0901958066c6a85f
-
Size
12.5MB
-
MD5
c6cdc26d4da1406f0901958066c6a85f
-
SHA1
5bcf2516112953906f9312b2c3cfb34845c00049
-
SHA256
e484c2397a151ed82e2874060f335ffc33c6d442d4358158cfe385f75abc378f
-
SHA512
4e9a67c17d2ec2848be598ab0a3bbe65c8a6c40fd25af41fe1dd649612227e0cb05b2e839b5c1e4062b16f757a1bc95f800ee50b382aea4791efe3c855ff7ead
-
SSDEEP
49152:ZvUWkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkE:Z
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2