General
-
Target
JaffaCakes118_c7d54346062a0b114e7e99d4b205d785
-
Size
11.8MB
-
Sample
250109-pcfmeayrg1
-
MD5
c7d54346062a0b114e7e99d4b205d785
-
SHA1
0f28c955632d206bdfdc825c3c5120815e39ab9a
-
SHA256
e8d7aaf589ec5208f5d7194ba23378e00b3ed3fb7c84ffd50b34df8e0a9c5d56
-
SHA512
a0910eebcd7a3c96dcd4a9a079725be04ad6e3b5f9c680053917465ff825e59e5459d9f62bca06f050f626c917032ec41a9d995528f6b3f194cae051e3f49c6b
-
SSDEEP
12288:UQeoegEG/Rl1M7jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjn:UQeGX1M
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
JaffaCakes118_c7d54346062a0b114e7e99d4b205d785
-
Size
11.8MB
-
MD5
c7d54346062a0b114e7e99d4b205d785
-
SHA1
0f28c955632d206bdfdc825c3c5120815e39ab9a
-
SHA256
e8d7aaf589ec5208f5d7194ba23378e00b3ed3fb7c84ffd50b34df8e0a9c5d56
-
SHA512
a0910eebcd7a3c96dcd4a9a079725be04ad6e3b5f9c680053917465ff825e59e5459d9f62bca06f050f626c917032ec41a9d995528f6b3f194cae051e3f49c6b
-
SSDEEP
12288:UQeoegEG/Rl1M7jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjn:UQeGX1M
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2