General

  • Target

    ae671935e94e00c6ac5cd59a91401339

  • Size

    11.7MB

  • Sample

    201214-9gnw1h7q7j

  • MD5

    ae671935e94e00c6ac5cd59a91401339

  • SHA1

    946abd7d7fce2ae16ddaf16349667e225762dfe4

  • SHA256

    8dea29eb868a36b9a4a8d00e8aa9a8e68f720cb50ebdab0b6dbb650ba1c7935c

  • SHA512

    7e0f55480e102510d6d7edb2c3400f61feefd56557debf03ff0fa7d9ffab50b76d1872f9b65f5f2a39a0020c7b70c049f812c1e253689a7379cf1ca937f5fe32

Malware Config

Targets

    • Target

      ae671935e94e00c6ac5cd59a91401339

    • Size

      11.7MB

    • MD5

      ae671935e94e00c6ac5cd59a91401339

    • SHA1

      946abd7d7fce2ae16ddaf16349667e225762dfe4

    • SHA256

      8dea29eb868a36b9a4a8d00e8aa9a8e68f720cb50ebdab0b6dbb650ba1c7935c

    • SHA512

      7e0f55480e102510d6d7edb2c3400f61feefd56557debf03ff0fa7d9ffab50b76d1872f9b65f5f2a39a0020c7b70c049f812c1e253689a7379cf1ca937f5fe32

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Tasks