General

  • Target

    63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

  • Size

    12.1MB

  • Sample

    201113-ftjt6wkkxe

  • MD5

    0ac0af0d8d5a45c4a2ff02c51a618f58

  • SHA1

    222eb9c628d571d03f0a82ef5df961e066a8d8cd

  • SHA256

    63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

  • SHA512

    ff30925e35fb3388eaaa3a8953ea235c3baf51b6262e4c5f94d69830a92ccf62c9b2c2bcd2588737cb98d29283d114eb6f5cfd3cfcc11b24114f9c98c49c0437

Malware Config

Targets

    • Target

      63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

    • Size

      12.1MB

    • MD5

      0ac0af0d8d5a45c4a2ff02c51a618f58

    • SHA1

      222eb9c628d571d03f0a82ef5df961e066a8d8cd

    • SHA256

      63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

    • SHA512

      ff30925e35fb3388eaaa3a8953ea235c3baf51b6262e4c5f94d69830a92ccf62c9b2c2bcd2588737cb98d29283d114eb6f5cfd3cfcc11b24114f9c98c49c0437

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks